Aviation is slowly becoming a bigger target for threat actors, especially post-pandemic. The move to rapidly adopt digital and contactless airport technologies to reduce the spread of COVID-19 inadvertently increased the attack surface. At the same time, many still rely on outdated software and hardware that could result in data loss, IT outages, and cyber attacks.
To eliminate some of these risks, the Transportation Security Administration (TSA) recently introduced new cybersecurity requirements for airlines and airports. The measures are similar to those issued for passenger and freight railroad carriers in October 2022 and include the following actions:
The aviation industry still relies heavily on legacy systems and outdated technologies that make implementing IT security controls more difficult. But to comply with TSA’s new cybersecurity requirements, airlines and airports should focus on the basics.
Implementing effective security measures like continuous monitoring or patch management can’t be achieved without first understanding what you have. An accurate IT and cybersecurity asset inventory is a core piece to know what’s going on in your environment — and then being able to protect it.
With a comprehensive and accurate asset inventory, airline operators can identify:
Those are just a few major use cases. But by focusing on the foundational aspects of improving cybersecurity hygiene, the actions required by TSA will become easier to achieve.
In the Federal Aviation Administration’s (FAA) Strategic Plan, FY 2022-2026, cybersecurity is listed as “foundational” to the strategy’s four pillars: Safety, People, Global Leadership, Operational Excellence. The strategy also highlights the need for guidance on how to prevent future cybersecurity incidents.
So it shouldn’t come as a surprise that shortly after the release of its Strategic Plan, the FAA announced it would require any new airport project to implement cybersecurity protocols into their plans in order to be eligible for funding. The FY 2023 Funding Opportunity specifically states, “Each applicant selected for Federal funding under this notice must demonstrate, prior to the signing of the grant agreement, effort to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project.”
This is where cybersecurity asset management comes in.
By being able to track all devices, cloud services, software, and users no matter where they’re located, or their uptime or power state, airports will have more visibility into what’s happening in their IT environments. And they’ll be able to demonstrate that to the FAA.
Until recently, there were few regulations specific to cybersecurity in aviation. But as the transportation sector continues to experience an increase in cyber threats, the need for more guidance has become critical.
The above requirements from TSA and the FAA are the first of many. TSA, in coordination with the U.S. Coast Guard and the Department of Transportation, is working on a draft sector-specific plan that includes metrics to measure their cybersecurity efforts around IoT and operational technology (OT) devices. Going forward, IoT and OT devices will be included in sector risk assessments.
The good news is that there are numerous solutions available that can help the aviation industry improve its ability to detect, respond to, and mitigate cyber threats, which includes Axonius.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010