By Jared Hoskins, CEO, Summit V. This article was originally published on Summit V’s blog on April 4, 2023.
On March 7, 2023, the United States Transportation Security Administration (TSA) issued a new cybersecurity amendment to the security programs of specific TSA-regulated airport and aircraft operators. According to the TSA, this step was part of the Department of Homeland Security’s broader efforts to increase the cybersecurity resilience of US critical infrastructure, but also in response to persistent cybersecurity threats against critical infrastructure, including the aviation sector.
The amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. According to the TSA press release, the requirements are as follows:
- Network segmentation policies and controls that ensure the OT system can operate safely in the event of compromise on the IT network.
- Access control measures to prevent unauthorized local and remote access to critical cyber assets based on the principle of least privilege and utilizing multi-factor authentication where technically feasible.
- Implementation of continuous monitoring and anomaly detection for critical cyber systems.
- Implementation of a vulnerability management program to address patch management for critical cyber systems including operating system, applications, drivers, and firmware on critical cyber systems.
How to Get Started Toward Compliance
Unsurprisingly, each of the requirements addresses corresponds to one or more of the recurring findings we see at Summit V with correlating statistics to have weak/poor security perimeters. As a cybersecurity supply chain management firm, providing Network & Systems Engineering, IT/IS Network & Software support, Pen Testing, Vulnerability Assessments, & Unified Communication Services to both the private and public sector, our organization monitors these statistics:
- 54% of engagements were observed to have shared user credentials between IT and OT networks.
- 80% of engagements were observed to have limited visibility into OT networks and systems.
- 83% of the vulnerabilities analyzed by the Summit V Threat Intelligence team were observed to be located deep within OT networks.
The four TSA requirements also align with the SANS Institute’s 5 Critical Controls for ICS/OT Cybersecurity with a focus on developing a defensible architecture, increasing OT visibility and monitoring, and implementing a risk-based vulnerability management program .
Based on our experience supporting Summit V customers in both the rail transportation and oil and gas sectors with similar directives, our recommendation is that that airport and aircraft operators utilize the previously issued security directives (particularly the rail transportation directives) for additional guidance on implementing these requirements in the short term while preparing for a dedicated security directive to be issued to airports and aircraft operators in the future. Before any serious development on compliance with these requirements can be considered, it’s vital that organizations have an accurate understanding of the critical OT cyber systems that are relied upon for normal operations. Examples may include baggage handling, passenger processing / ticketing, or airport operations systems. Without an accurate picture of what these systems are and the critical endpoints that are responsible for their normal operations, it is incredibly difficult to design and implement the necessary security controls required to protect them.
With a firm understanding of the security scope, airports and aircraft operators can make informed decisions on the design and implementation of security controls to comply with the requirements of the TSA directive.
Looking to the future, Summit V also recommends that airport and aircraft operators expand on the four requirements of the TSA directive and begin development of policies and procedures that have previously been issued to the oil and gas and rail transportation industries.
1 | Establish a Cybersecurity Incident Response Plan
Develop and implement a Cybersecurity Incident Response Plan to reduce the risk of operational disruption should IT and/or OT systems be affected by a cybersecurity incident.
2 | Establish a Cybersecurity Implementation Plan
Develop and implement a Cybersecurity Implementation Plan. This plan must describe the specific measures implemented by owner/operators to prevent disruptions to their infrastructure and/or operations. The implementation plan must also include the schedule by which the owner/operators will follow to implement the controls defined in the plan. The cybersecurity implementation plan must (at a minimum) include technical and procedural controls and measures for the following:
- Network segmentation policies and controls that ensure the OT system can operate safely in the event of compromise on the IT network.
- Access control measures to prevent unauthorized local and remote access to critical cyber assets based on the principle of least privilege and utilizing multi-factor authentication where technically feasible.
- Implementation of continuous monitoring and anomaly detection for critical cyber systems.
- Implementation of a vulnerability management program to address patch management for critical cyber systems including Operating System, applications, drivers, and firmware on critical cyber systems.
3 | Establish a Cybersecurity Assessment Program
Develop and implement a Cybersecurity Assessment program. This program must document how an airport or air operator will proactively and regularly assess the effectiveness of the cybersecurity measures implemented as part of the Cybersecurity Implementation Plan. The assessment program must include the following:
- A Cybersecurity Architecture Design Review (CADR) that verifies and validates network traffic and systems logs against existing documentation and identifies vulnerabilities related to network design, electronic access control and inter-connectivity between IT and OT systems.
- Incorporate any additional assessment capabilities to support identification of system vulnerabilities (e.g., penetration testing to assess an adversary’s ability to compromise OT systems following a breach of the IT network).