TSA cybersecurity amendment for airport, aircraft operators pushes for cyber design engineering evolution

Responding to persistent cybersecurity threats against critical U.S. infrastructure, the Transportation Security Administration (TSA) division issued in March an emergency cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators. These measures work to enhance cybersecurity resilience by focusing on performance-based measures, necessitating regulated entities to develop plans to harden resilience, while also preventing disruption and degradation to their infrastructure.

The emergency amendment covers measures including network segmentation policies and controls, access control measures; continuous monitoring and detection; and the application of security patches and updates for operating systems, applications, drivers, and firmware. The transport agency will also continue to work closely with the Department of Transportation, Cybersecurity and Infrastructure Security Agency (CISA), and industry partners to strengthen the cybersecurity resilience of the nation’s critical infrastructure. 

The new rules further call upon these TSA-regulated airport and aircraft operators to develop and assess ‘an approved implementation plan that describes measures they are taking to prevent disruption and degradation to their infrastructure.’ Organizations must have an accurate understanding of the critical OT cyber systems and critical endpoints that are relied upon for normal operations by airports and aircraft operators to design and implement the necessary security controls required to protect them. They must also have a clear understanding of what information can be used to identify vulnerabilities in their critical cyber systems and the impacts that such vulnerabilities could have on operations.

The emergency TSA cybersecurity amendment for airports and aircraft operators comes shortly after the U.S. administration announced its national cybersecurity strategy to reimage cyberspace, shifting the cybersecurity burden to technology providers and imposing additional mandates on organizations that control the majority of the nation’s digital infrastructure. 

The TSA amendment follows similar measures that directed designated passenger and freight railroad carriers to enhance cybersecurity resilience by focusing on performance-based measures, announced last October. The security directive enhances cybersecurity preparedness and resilience for the nation’s railroad operations and builds on the agency’s work to strengthen defenses in other transportation modes. It also links closely to the revision and re-issue of the TSA’s July 2022 Security Directive that covers cybersecurity requirements of oil and natural gas pipeline owners and operators, which marked a paradigm shift from a prescriptive, compliance-based standard to a functional, performance-based standard. 

Pointing out that the Emergency TSA Cybersecurity Directive for Airports & Aircraft Operators, Curtis Chmilar, OT cybersecurity professional and people leader at Dragos flagged that the announcement does not include a documented security directive specifically for airports and aircraft operators but does reference SD-1580/82-22-01, which was issued to passenger and freight railroad carriers in October 2022.  

Chmilar added in a recent blog post that “our recommendation is that that airport and aircraft operators utilize the previously issued security directives (particularly the rail transportation directives) for additional guidance on implementing these requirements in the short term while preparing for a dedicated security directive to be issued to airports and aircraft operators in the future.”

Industrial Cyber consulted cybersecurity professionals to assess the level of preparedness and capability of airport and aircraft operators subject to TSA regulation to implement the newest performance-based measures. They also look into the challenges that owners and operators could encounter when they attempt to implement the new regulations.

Joe Marshall, security researcher at Cisco Talos told Industrial Cyber that this is tricky to answer, because not all airports have the same budget to invest in security at the same level, and thus are prepared or equipped to address the mandate. “The TSA’s amendment doesn’t seem to distinguish between large international airports, and smaller regional airports that may not have the cyber security budget for many IT security controls, much less OT,” he added.

“With TSA delivering detailed cybersecurity guidelines for US railroad and oil pipeline industries, it’s been really apparent that TSA wants to further ensure there are cybersecurity measures in place for critical industries, as stated in President Biden’s National Cybersecurity Strategy,” Josh Beed, solutions architect at TXOne Networks, told Industrial Cyber. “It is no surprise the aviation industry is next to work with TSA on performance-based measures. 

Beed added that “we anticipate operators will face similar challenges to what these other industries are experiencing, such as flat networks and unpatched legacy systems within OT environments. Both are getting significant attention in the TSA requirements, but they can also be challenging for operators to address.”

“Generally, airport and aircraft operators are unprepared to implement the new TSA amendments. This assessment is based on understanding the complexity of most of the current airport network architectures,” Christopher L. Crawford, transportation industry director at Waterfall Security Solutions, told Industrial Cyber. “The past decades in the industry have been about connecting systems to create seamless data sharing; now, they are faced with fundamental network architecture decisions such as network segmentation and unidirectional data flows between highly secure (OT) systems and less secure (IT) systems.”

Crawford also points out that the difficulty they face is assessing their data flows from a new OT cybersecurity lens and distinguishing which systems are considered critical to operations versus those not. “This distinction process is even more difficult without industry-specific OT cybersecurity standards and a general lack of OT cybersecurity discipline.”

Many large airport and aircraft operators are likely to have plans that cover most of the measures identified in the TSA cybersecurity requirements, Nik Urlaub, critical infrastructure resiliency and safety capability area lead at MITRE Labs’ Cyber Infrastructure Protection Innovation Center, told Industrial Cyber. “It is more a matter of making sure that those plans are followed and covering any gaps. I expect the biggest hurdle here is going to be finding qualified cybersecurity personnel, especially as you move away from the large entities.”

The executives look into how the March 2023 TSA cybersecurity amendments affect the cybersecurity posture of agency-regulated airport and aircraft operators. They also look into the changes that these asset owners and operators make and the competency level of these operators to roll out these amendments. 

“I predict a largely positive outcome, as some airports haven’t had to consider in depth how to defend critical OT systems,” Marshall said. “Sometimes a nudge is needed to get thoughts and budgets focused on a positive security direction. Changes will be difficult at first – change always is. But as operators develop a better security vocabulary to address security issues, you’ll see additional investments in technology and people to address the security mandates.”

He also said to be prepared to see investments in visibility, asset identification, and monitoring of OT systems for malicious or unusual behavior. 

Beed said that more recently, “we have seen an increase in attacks, or persistent attempts to attack, operational technology in numerous industries including manufacturing, utilities, and transportation.” 

“In many organizations, there’s not much interaction between IT and OT. It has its own regulations to address, such as PCI compliance for processing payments or HIPAA compliance in the medical field,” Beed revealed. “Until recently, OT was not faced with regulations. Now both sides are required to understand each other and cooperate to address the grey area between both IT and OT networks and develop a solution that aligns with the regulations.”

On the OT side, it’ll be continually important to provide real-time preventative measures, visibility, and threat detection because threat response is not adequate, Beed assessed. “However, that will be a challenge because there’s a shortage of expertise, which means the unique threats of OT environments and how they differ from IT environments are not as widely understood as they should be.”

There is sufficient evidence collected to date that demonstrates that the TSA amendments if implemented correctly, will significantly improve the industry’s cybersecurity posture, Crawford said. “For example, the OT cybersecurity foundation of network segmentation is an effective cyber-by-design approach for digital systems. A cyberattack from one digital system to another cannot occur if they don’t share the same network and are either ‘air gapped’ or hardware-enforced to separate. Therefore, the TSA cybersecurity amendments rightfully put this at the top of their amendment list as it is fundamental to improving the cybersecurity posture of any operational system.”

“Asset owners and operators must change the level of awareness, policy, and importance allocated to the OT cybersecurity discipline to achieve what is articulated in the new TSA amendments,” according to Crawford. “They must also realize it is distinctly different from an IT cybersecurity objective. This distinction can be generalized as IT cybersecurity seeks to protect data, whereas OT cybersecurity aims to protect critical operational systems.”

Urlaub said that the recent TSA cybersecurity amendments should have a positive influence on the cybersecurity posture of airport and aircraft operators. “The measures identified are solid best practices that many of these entities are already doing and largely in line with the previous requirements that TSA has issued around pipelines and railroads.”

With the new TSA emergency amendment, airport and aircraft operators require that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. 

The plan must develop network segmentation policies and controls to ensure that OT systems can continue to safely operate if an IT system has been compromised, and vice versa. It must also create access control measures to secure and prevent unauthorized access to critical cyber systems while implementing continuous monitoring and detection policies and procedures. Lastly, the plan calls for reducing the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems promptly using a risk-based methodology.

The experts look into whether the TSA-regulated entities possess the required skills for an acceptable level of performance to develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. 

Marshall points out that various operators will have different levels of expertise to apply to address this mandate. “The good news is that no matter your security maturity, organizations like the TSA, DHS CISA, or commercial outside third parties can assist operators in helping to answer difficult questions around understanding and deploying security to address risks. Hopefully, this amendment will help them begin to seek answers to difficult questions.”

“TSA appears to be partnering with each industry to develop plans and requirements that are necessary, yet manageable, to achieve the ultimate security goal,” Beed said. “Take the pipeline industry, for example. The first prescriptive-based directives were inoperable for that environment, and TSA took a step back to work with the oil and gas industry resulting in performance-based directives.” 

Right now, Beed added that “we see TSA starting off with four broad, key requirements that need to happen for the aviation industry. It is possible security directives could be published after TSA collaborates with these organizations to figure out exactly what needs to happen, which could be very close to the railroad requirements.”

Crawford said that the lack of a common referenceable OT cybersecurity standard for airport and aircraft operators makes it challenging to assess competence objectively, given that there will inevitably be considerable variability in cybersecurity approaches taken within the industry without such a standard.

“Additionally, the lack of OT cybersecurity experienced personnel means airports and aircraft operators will need help to gain best practices and experience in developing an implementation plan to meet TSA expectations and at a level commensurate with other critical infrastructure verticals,” he added.

Urlaub highlighted that many large entities are likely to be covering many of the measures that TSA has identified. “It is more a matter of making sure that those plans are followed through on and covering any gaps they identify.”

The cybersecurity experts also work out the inherent challenges that aviation asset owners and operators will face as they work on developing network segmentation policies and controls to ensure that operational technology (OT) systems can continue to safely operate if an IT system has been compromised, and vice versa. They also look into the role that these factors play in the aviation sector’s ability to secure and safeguard its OT/ICS environments. 

“There are many inherent challenges an asset owner will run into. For example, the first, and perhaps foremost difficult challenge will be simply identifying all the assets they must protect,” Marshall said. “Older legacy assets with long lifespans, like baggage handling systems or HVAC systems, can be difficult to find on a network, and may not respond favorably to security controls necessary to protect them.” 

He added that “taking into account other security deployment and architecture issues – the most essential thing an asset owner should consider is just understanding what a resilient airport looks like, and how to weather any cyber-attack and stay operational.” 

Beed expects flat networks will be one of the greatest inherent challenges – the lateral access between systems makes them especially vulnerable to threats. “Network segmentation allows a single machine or small group of machines to turn off a single business function rather than turning off the entire operation and stops malicious traffic from gaining access to an entire environment,” he added. 

“When an IT system has been compromised, network segmentation allows that portion or segment of the network to be separated to protect and reduce the impact on the broader IT and OT network,” Beed pointed out. 

Another inherent challenge will be unpatched and legacy systems that are running unsupported operating systems, according to Beed. “Overhauling legacy systems with modern technology can be extremely costly and negatively impact the availability of the operation. Therefore, many airport and airline operators may take the approach of virtual patching and trust lists to help secure these older technologies.”

Complexity is the enemy of cybersecurity, and one must only consider how complex an airport operation is to understand the challenge of overnight classifying which systems are OT vs. IT, Crawford said. “Would one airport classify the Baggage Handling System (BHS) as an OT system, while others may not? Who determines this? What industry-specific standards exist to assist in level-setting expectations across operators and supply chains?”

“With these questions outstanding, the challenge for aviation asset owners and operators will be to reach a consensus on definitions and reference architectures,” Crawford underscores. “This is essential to address gross differentials in requirements articulated within the industry. This includes requirements for suppliers confronted with significant and potentially irrelevant cybersecurity requirements in the tendering process. This may exclude or create unfair advantages for product/service providers.”

Additionally, aviation asset owners will be challenged to rethink the interconnectedness of digital systems and focus more on the specific essential data flows, according to Crawford. “For example, after careful assessment, it will become clear that unidirectional traffic flows from a critical operational system to another less secure network is sufficient and creates a more robust cyber secure interconnect.” 

Crawford added that placing hardware-enforced network segmentation between two systems is the level of maturity that the most secure critical infrastructures in the world have adopted. “This type of deterministic cyber design engineering must evolve within the aviation industry.”

Urlaub determines that airport and aircraft operators are going to run into the same challenges that other organizations face when working to segment OT systems. “These systems are designed for little to no downtime and implementing segmentation will almost certainly require taking these systems offline. Additionally, we have the constraint that many OT environments have. Many of their devices may be quite old. Devices may be expected to be in place for 20 years. So, we may be limited in the capabilities that are available on these devices,” he added. 

These are hurdles that will need to be overcome, but we have seen other sectors overcome these issues, Urlaub added. “So, I expect airport and aircraft operators are going to be able to overcome these issues as well.”

The experts weigh in on efficient airport and aircraft operators to implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations. 

Marshall said that large asset owners and aviation companies invest heavily in cyber security and have capable programs. “The worry is smaller operators, who lack budget and expertise to implement the amendment. There will be a learning curve in place they’ll have to adapt and apply themselves too,” he added. 

“Hopefully, this is something airport and airline operators have already been doing for a while now,” Beed said. “Monitoring and detection policies and procedures are developed for just about any kind of IT environment with anti-malware, anti-virus, and other tools being used to mitigate threats. Breaches still occur, and organizations are constantly learning and finding gaps and vulnerabilities in their networks.”

However, in today’s world, everybody in the cybersecurity field should be capable of deploying, modifying, and implementing cybersecurity measures where something does not currently exist, he added.

Crawford said that cybersecurity capability within airport and aircraft operators has generally improved over the past few years, which is good news. “The bad news is that it hasn’t matured fast enough, sufficiently differentiated between IT and OT cybersecurity, or employed enough cyber professionals with experience in the OT space.”

“Given this general industry assessment, the specific aspects of continuous monitoring, detection policies, and procedures will need to be re-evaluated/re-written to clarify how critical operational systems are cyber-engineered and managed,” he added.

Urlaub concludes that there are several things that an entity may want to consider implementing before continuous monitoring and detection are put in place, but the TSA requirements should go a good distance to help close that gap for any affected entity.