Network segmentation takes center stage in new TSA cybersecurity amendment for airport, aircraft operators

Network segmentation takes center stage in new TSA cybersecurity amendment for airport, aircraft operators

The U.S. Transportation Security Administration (TSA) issued on Tuesday a cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced last October for passenger and freight railroad carriers. The agency calls for developing network segmentation policies and controls to ensure that operational technology (OT) systems can continue to safely operate if an information technology system has been compromised, and vice versa.

The agency is taking this emergency action because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector. The amendment is part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners. 

The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. Additionally, they must proactively assess the effectiveness of these measures, by developing network segmentation policies and controls to ensure that OT systems can continue to safely operate if an IT system has been compromised, and vice versa. Furthermore, they must create access control measures to secure and prevent unauthorized access to critical cyber systems.

The TSA also laid down the need to implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations. Lastly, the agency seeks to reduce the risk of exploitation of unpatched systems by applying security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems promptly using a risk-based methodology.

This is the latest in TSA’s efforts to require that critical transportation sector operators continue to enhance their ability to defend against cybersecurity threats. Previous requirements for TSA-regulated airport and aircraft operators included measures such as reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment.

“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure, and efficient travel,” David Pekoske, TSA Administrator, said in a media statement. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”

It follows last week’s ​​release of a National Cybersecurity Strategy, which identifies a deep and enduring collaboration among stakeholders across the nation’s digital ecosystem. The move serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities.

The move by the TSA coincides with the release of a memorandum by the U.S. Environmental Protection Agency (EPA) that calls upon states to evaluate the cybersecurity of OT used by a PWS (public water systems) when conducting PWS sanitary surveys or through other state programs. The memorandum explains various approaches to include cybersecurity in PWS sanitary surveys or other state programs. Additionally, the EPA is also providing extensive guidance, training, and technical assistance to help states and PWSs increase resilience to cybersecurity incidents.

Commenting on the TSA mandates, Danielle Jablanski, ICS/OT cybersecurity strategist at Nozomi Networks, wrote in an emailed statement that the new requirements are “in line with what we consider industry best practice for prevention, including review of existing access controls, understanding all components operating and their access points, mapping product vulnerabilities and scanning networks for known indicators of compromise.”

“Cybersecurity conversations are stuck in a limited cycle of equip, buy a product, run a table-top exercise, and check compliance boxes – often skipping key steps for organization, failing to exercise function-specific responsibilities, and almost never exercising to failure like a real emergency might require,” Jablanski said. “The TSA guidance for the airline industry is working to clear these hurdles, introducing new training offerings and expanding the understanding for why segmentation and detection are important components for avoiding worst case cyber scenarios.”

Jablanski added learning from other major attacks, the weakest link in an organization may be a compromised cyber-physical system, broad access to a component of operations that enables remote access or unnecessary internet connectivity, or an IT system critical for business operations.

In January, the TSA revised the Information Collection Request (ICR), Office of Management and Budget (OMB that calls for review and approval of a revision of the currently approved collection under the Paperwork Reduction Act (PRA), relating to corporate security reviews and security directives applicable to pipeline owners and operators.

The TSA earlier in December sought input on ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors. The agency is interested in input on improving surface cyber risk management across transportation systems from the industry associations representing these owners/operators, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related