The Transportation Security Administration (TSA) on Tuesday issued new cybersecurity requirements for airports and aircraft operators as part of an “emergency action” to address persistent threats to the aviation industry.
The TSA, as part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure, said new the new regulations require entities to develop and implement a plan that describes actions taken to improve cybersecurity resilience and prevent disruptions. The plan must be proactively assessed to gauge its effectiveness, TSA said.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
Similar measures were released in October 2022 for passenger and freight railroad carriers.
TSA-regulated entities must:
- Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
TSA said previous requirements for TSA-regulated airport and aircraft operators included reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment.
Related: White House Releases New National Cybersecurity Strategy | U.S. Congress to Investigate FAA Computer Outage That Snarled Flights
Was this article valuable?
Here are more articles you may enjoy.
Interested in Cyber?
Get automatic alerts for this topic.