Biden administration plans classified cybersecurity briefings with executives from aviation sector

The U.S. administration has scheduled classified cybersecurity briefings with executives from across the aviation industry in September, a senior White House cybersecurity official reportedly told CyberScoop. Following last year’s National Security Memorandum, the government has been conducting classified cybersecurity briefings with executives from select critical infrastructure sectors as part of an ongoing effort to compel industry leaders to invest more in their digital defenses. 

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said that the threat briefings underscore the administration’s commitment to come to a ‘reasonable compromise once everyone is working off the same intelligence.’ 

The meeting with aviation officials will closely follow another recent White House briefing tailored for specific transportation sector executives. Railroad executives from across the country came to the White House for an Aug. 4 classified briefing on cyber threats targeting their industry as well, Neuberger added.

Commenting on the move, Gary Kinghorn, security analyst at Nozomi Networks, wrote in an emailed statement to Industrial Cyber that, unlike rail, airports and airline operators don’t have to develop and implement an incident response plan and don’t have to complete a vulnerability assessment. “They are required to report security incidents to CISA within 24 hours, which may be challenging because that may not even be enough time to pull together a forensic analysis post-incident. That’s where the pushback would probably come from.” 

The primary air requirements are to have an incident coordinator and report incidents to CISA, which most industries are moving towards and are beneficial to others, Kinghorn said. “The benefits outweigh the costs, so I can imagine air industries getting on board eventually,” he added.

“The airline industry has been working hard over the last few years to work more openly with security researchers and encouraging streamlined vulnerability disclosures,” Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks said. “They are often tasked with additional scrutiny of any new technologies especially related to customer data and any aircraft software additions or changes and are well equipped with requisite expertise to handle additional cybersecurity requirements.”

Analyzing whether regulations go far enough, Kinghorn said that the mandatory incident reporting will have the most benefit in surfacing and prioritizing new zero-day attacks or exposing new Indicators of Compromise (IOCs) that can be quickly shared with other participants in the sharing community, as long as there is broad buy-in and CISA provides the right open infrastructure to support a large, diverse community of organizations. 

“The industry is not starting from zero,” Jablanski said. “Coordinators will have their work cut out for them, already moving to prepare for training, stress testing and demonstrating improvement and ROI for security investments and processes over time, as well as planning for a potential cyber incident to be handled at any time involving a wide range of stakeholders,” she added.

“Like other critical infrastructure sectors, there’s a push across the industry for each entity to make their operations a less-lucrative target – reducing risk and raising costs for would-be attackers,” according to Jablanski. “With threat actors specifically looking to target major airlines with ransomware, the aviation sector is realizing that it may only be as strong as its weakest link. The threat to the air industry, like most critical infrastructure, is a combination of ransomware (because it’s the most directly lucrative) as well as low-level penetration and reconnaissance to just map out attack vectors and surfaces and prepare for more targeted attacks. DDoS is always a possibility, but less common,” she added.

Kinghorn identified that the threats that the air industry, like most critical infrastructure, is a combination of ransomware (because it’s the most directly lucrative) as well as low-level penetration and reconnaissance to just map out attack vectors and surfaces and prepare for more targeted attacks. DDoS is always a possibility, but less common, he added.

Jablanski pointed out that industry engagement with the sector to date continues to identify gaps in visibility for legacy technology and connected devices, software and applications, and can help to illuminate processes to enhance vulnerability assessments, supply chain risk management, and operational resilience.

Mike Hamilton, co-founder/CISO at Critical Insight, wrote in an emailed statement to Industrial Cyber that the move was a bit of a push by CISA to get other sector-specific agencies (SSAs) that can regulate to get on the stick and start requiring standards of practice in security to be met. “Coming off the Colonial Pipeline mess where we found that the TSA wasn’t giving any guidance or requirements to pipeline operators, CISA is now directly reaching out to rail and air (both also TSA) and water (EPA) with these briefings, and bringing a bit of heat down on those SSAs. This is also good,” he added.

Hamilton also pointed out that these industries push back mightily when they get something that looks like an unfunded mandate – security requirements in this case. “So until the SSAs actually tell the operators ‘here’s how it has to be,’ we’ll continue to inform the operators with classified information but they aren’t necessarily getting their houses in order, and we’ll continue with security management by a landmine.”

In February, researchers from security firm Proofpoint disclosed that they had kept an eye on a persistent cybercrime hacker group targeting aviation, aerospace, transportation, manufacturing, and defense industries since 2017. Tracked as ‘TA2541’ and using over a dozen different malware payloads, the hacker group consistently uses remote access trojans (RATs) that can be used to control compromised machines remotely. The group ‘remains a consistent, active cybercrime threat,’ especially to entities in its most frequently targeted sectors, including the aviation sector.

Last week, the U.S. administration said it is set to address the cybersecurity issues faced by the chemical sector. The voluntary-first approach to cybersecurity will assist the chemical sector in a fourth 100-day sprint to gain insights into the cybersecurity posture of the nation’s critical infrastructure and improve its resilience. Operators in the chemical sector will follow their counterparts in the critical electric sector, gas pipelines, and water treatment plants in being asked to facilitate visibility into their systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.