TSA issues new cyber security requirements for airport and aircraft operators
WASHINGTON - The Transportation Security Administration (TSA) issued a new cyber security amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced in October 2022 for passenger and freight railroad carriers. This is part of the Department of Homeland Security's efforts to increase the cyber security resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners.
TSA is taking this emergency action because of persistent cyber security threats against U.S. critical infrastructure, including the aviation sector. The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cyber security resilience and prevent disruption and degradation to their infrastructure. They must also proactively assess the effectiveness of these measures, which include the following actions:
- Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cyber security threats and anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
This is the latest in TSA's efforts to require that critical transportation sector operators continue to enhance their ability to defend against cyber security threats. Previous requirements for TSA-regulated airport and aircraft operators included measures such as reporting significant cyber security incidents to the Cyber security and Infrastructure Security Agency (CISA), establishing a cyber security point of contact, developing and adopting a cyber security incident response plan and completing a cyber security vulnerability assessment.
"Protecting our nation's transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cyber security risks and improve cyber resilience to support safe, secure and efficient travel," said TSA Administrator David Pekoske. "This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure."