Preparing for TSA Cybersecurity Compliance with Identity Security
The aviation industry relies on a complex web of players and digital systems to fly passengers safely around the world. Billions of data points flow across this vast interconnected ecosystem – from cloud-based ticketing apps and customer experience portals, to third-party vendors and technology systems, to airport ground operations and in-flight aircraft.
While connectivity is mission-critical to airline and airport operations, it also means that any cyberattack or digital disruption could quickly ripple outward, negatively impacting numerous entities, degrading customer experiences and potentially even compromising human safety.
Just last month, two major airlines disclosed data breaches caused by a cyberattack on a third-party recruiting vendor. According to reports, personal information of nearly 9,000 airline pilots was exposed. Unfortunately, this wasn’t an isolated incident. Cyberattacks on airlines, airports and their many third-party providers are rising globally. As with other critical infrastructure sectors, transportation’s risk exposure is heightened by technical complexity, underlying infrastructure issues and vulnerable operational technology (OT).
A string of distributed denial-of-service (DDoS) attacks last fall temporarily took down several major U.S. airport websites. In February 2023, seven German airports experienced a similar attack that left thousands of travelers stranded. Airports across the European Union (and everywhere else) are being hit hard by ransomware, according to a 2023 report by the European Union Agency for Cybersecurity. The same report identifies airlines’ customer data and original equipment manufacturers’ proprietary information as cyberattackers’ top targeted assets.
Building Cybersecurity Resiliency for Airport and Aircraft Providers
Such targeted attacks on critical infrastructure are prompting government action. In the United States, the Transportation Security Administration (TSA) has called on airports and aircraft providers to step up their cybersecurity practices.
According to enhanced TSA requirements released this March, all TSA-regulated airports and aircraft providers must “develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.” TSA released similar requirements in 2022 for passenger and freight railroad carriers. Both steps are part of a broader push to strengthen the cybersecurity resilience of the nation’s critical infrastructure and align with the Biden administration’s Zero Trust-focused National Cybersecurity Strategy.
Preparing to Meet TSA’s Enhanced Cybersecurity Requirements
Airport and aircraft operators must take four actions to meet TSA’s latest cybersecurity requirements. While specific details on mandatory security controls, assessment parameters and compliance deadlines have not yet been disclosed, many TSA-regulated entities are referencing Security Directive 1580/82-22-01 for the railroad industry as they prepare for their own directive. In the meantime, they have this high-level guidance from TSA:
Action 1: Network Segmentation
“Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa.”
Network segmentation is an important step for limiting access to devices, data and applications. In the aviation industry, operational technology (OT) networks power everything from airport baggage-handling systems to critical air traffic control processes. Creating boundaries between OT and IT networks helps minimize identity-based threats, such as phishing, ransomware and other credential theft attacks. Network segmentation also separates and protects OT network layers while allowing authorized communications and other critical processes to continue.
Action 2: Access Control
“Create access control measures to secure and prevent unauthorized access to critical cyber systems.”
The aviation sector is in a continuous state of digital transformation and identities – human and machine – are surging in numbers. Across industries, virtually all (99%) security decision-makers believe they’ll face an identity-related compromise in the year ahead, reinforcing the need for a Zero Trust approach to security.
Modern identity security controls, centered on privilege, enable Zero Trust by verifying every user, validating every device and intelligently limiting access to any resource anywhere, everywhere. This includes continuous authentication to validate a user’s entire session – not simply a single multi-factor authentication (MFA) request – and monitoring user behavior to identify when an identity has been compromised. This brings us to TSA’s required action number three.
Action 3: Continuous Monitoring and Detection
“Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations.”
With so many distributed workforce and privileged users, third-party vendors and data streams in play, aviation organizations need a centralized, continuous process to detect risky security events and behaviors. Otherwise, context and coverage gaps could cause them to miss, mishandle or respond too slowly. Identity security solutions that continuously monitor behavioral signals help ensure users are who they say they are, while empowering incident response and security operations teams to address threats quickly and confidently.
Action 4: Patch and Manage Critical OT Connections
“Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
Keeping critical airport and airline systems patched and up to date is an essential defense-in-depth endpoint security component. But human error has no patch. Combining patch management and other traditional endpoint security tools with foundational endpoint privilege security will help strengthen overall security posture and reduce exposure to ransomware and other dynamic threats.
How Aviation Organizations Can Strengthen Cyber Resilience
Navigating evolving cybersecurity requirements can be complex, but airports and airlines don’t have to go it alone. CyberArk can provide the guidance and support needed for these critical infrastructure organizations to comply with TSA’s enhanced requirements to protect information and systems.
The CyberArk Identity Security Platform is uniquely positioned to help them strengthen cyber resilience by surrounding every identity – human and machine – with a powerful force field of continuous protection. With a security-first approach grounded in Zero Trust and least privilege, CyberArk enables them to manage who has access to what, and for how long, while empowering them with the confidence of unmatched detection, prevention and control over their entire infrastructure.
Jay Willoughby is AVP Commercial Sales – U.S. at CyberArk.