Aviation is slowly becoming a bigger target for threat actors, especially post-pandemic. The move to rapidly adopt digital and contactless airport technologies to reduce the spread of COVID-19 inadvertently increased the attack surface. At the same time, many still rely on outdated software and hardware that could result in data loss, IT outages, and cyber attacks.
To eliminate some of these risks, the Transportation Security Administration (TSA) recently introduced new cybersecurity requirements for airlines and airports. The measures are similar to those issued for passenger and freight railroad carriers in October 2022 and include the following actions:
- Develop network segmentation policies and controls to ensure that operational technology (OT) systems can continue to run safely when an IT system is compromised.
- Create access control measures to secure and prevent unauthorized access to critical cyber systems.
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and unusual activity that affect critical cyber system operations.
- Ensure security patches and updates for operating systems, applications, drivers, and firmware running on critical systems are always up-to-date.
Complying with TSA’s new cyber requirements
The aviation industry still relies heavily on legacy systems and outdated technologies that make implementing IT security controls more difficult. But to comply with TSA’s new cybersecurity requirements, airlines and airports should focus on the basics.
Implementing effective security measures like continuous monitoring or patch management can’t be achieved without first understanding what you have. An accurate IT and cybersecurity asset inventory is a core piece to know what’s going on in your environment — and then being able to protect it.
With a comprehensive and accurate asset inventory, airline operators can identify:
- Devices that aren’t being scanned by vulnerabilities or need security patches
- Assets that are missing endpoint agents
- Devices that are running unsanctioned, potentially malicious software
- Users who are admins with no multi-factor authentication (MFA) enabled
Those are just a few major use cases. But by focusing on the foundational aspects of improving cybersecurity hygiene, the actions required by TSA will become easier to achieve.
The FAA has its own cybersecurity requirements
In the Federal Aviation Administration’s (FAA) Strategic Plan, FY 2022-2026, cybersecurity is listed as “foundational” to the strategy’s four pillars: Safety, People, Global Leadership, Operational Excellence. The strategy also highlights the need for guidance on how to prevent future cybersecurity incidents.
So it shouldn’t come as a surprise that shortly after the release of its Strategic Plan, the FAA announced it would require any new airport project to implement cybersecurity protocols into their plans in order to be eligible for funding. The FY 2023 Funding Opportunity specifically states, “Each applicant selected for Federal funding under this notice must demonstrate, prior to the signing of the grant agreement, effort to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project.”
This is where cybersecurity asset management comes in.
By being able to track all devices, cloud services, software, and users no matter where they’re located, or their uptime or power state, airports will have more visibility into what’s happening in their IT environments. And they’ll be able to demonstrate that to the FAA.
The future of cybersecurity for aviation
Until recently, there were few regulations specific to cybersecurity in aviation. But as the transportation sector continues to experience an increase in cyber threats, the need for more guidance has become critical.
The above requirements from TSA and the FAA are the first of many. TSA, in coordination with the U.S. Coast Guard and the Department of Transportation, is working on a draft sector-specific plan that includes metrics to measure their cybersecurity efforts around IoT and operational technology (OT) devices. Going forward, IoT and OT devices will be included in sector risk assessments.
The good news is that there are numerous solutions available that can help the aviation industry improve its ability to detect, respond to, and mitigate cyber threats, which includes Axonius.