Driven by what it says are “persistent threats” to critical infrastructure, including the aviation sector, the Transportation Security Administration (TSA) this week amended its security regulations for airport and aircraft operators to include some cybersecurity measures.
The new cybersecurity requirements follow similar regulations imposed by the agency on passenger and freight railroad carriers last fall.
The requirements include creating access control measures to prevent unauthorized access to critical cyber systems, having continuous cyber monitoring and detection policies and procedures in place to defend critical networks, regularly update operating systems, applications, software and firmware with secure patches, and have network segmentation controls to ensure that operating technology and information technology systems can continue to safely function if one system has been compromised.
Airport and aircraft operators subject to the security amendment must also develop an approved implementation plan that describes their planned actions. The affected entities must also proactively assess the effectiveness of their security measures.
TSA worked with industry and other stakeholders on the cybersecurity requirements for the aviation sector.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve resilience to support safe, secure and efficient travel,” TSA Administrator David Pekoske said in a statement on Tuesday. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
The cybersecurity requirements for airport and aircraft operators are covered by existing authorities TSA has to regulate in the transportation sector. The agency began issuing cybersecurity measures to certain entities within the transportation sector following the May 2021 ransomware attack against Colonial Pipeline, whose information technology systems were held hostage to the attack and led the company to shut down pipeline operations temporarily to ensure the malware didn’t pose a threat to the operating systems.