Skip to main content
The Dragos Blog

03.30.23 | 4 min read

Emergency TSA Cybersecurity Directive for Airports & Aircraft Operators: How to Prepare 

Curtis Chmilar
Compliance
Vulnerability Management
Year in Review

This month, the U.S. Transportation  Security Administration (TSA) announced four new cybersecurity requirements for airports and aircraft operators.  These requirements have been issued on an emergency basis continuing the on-going effort of the U.S. Government to enhance cybersecurity resiliency across critical infrastructure sectors. It follows the announcement of the National Cybersecurity Strategy by the Biden administration on March 2, 2023.   

The announcement does not include a documented security directive specifically for airports and aircraft operators but does reference SD-1580/82-22-01, which was issued to passenger and freight railroad carriers in October 2022.  

Based on our experience supporting Dragos customers in both the rail transportation and oil and gas sectors with similar directives, our recommendation is that that airport and aircraft operators utilize the previously issued security directives (particularly the rail transportation directives) for additional guidance on implementing these requirements in the short term while preparing for a dedicated security directive to be issued to airports and aircraft operators in the future.  

New Cybersecurity Requirements

The requirements stated in the release from the TSA are as follows: 

  1. Network segmentation policies and controls that ensure the OT system can operate safely in the event of compromise on the IT network. 
  2. Access control measures to prevent unauthorized local and remote access to critical cyber assets based on the principle of least privilege and utilizing multi-factor authentication where technically feasible. 
  3. Implementation of continuous monitoring and anomaly detection for critical cyber systems. 
  4. Implementation of a vulnerability management program to address patch management for critical cyber systems including operating system, applications, drivers, and firmware on critical cyber systems.

Not surprisingly, each of the requirements addresses corresponds to one or more of the recurring Key Service Engagement Findings documented in the 2022 Dragos ICS/OT Cybersecurity Year in Review Report

  • 50% of engagements were observed to have weak/poor security perimeters. 
  • 54% of engagements were observed to have shared user credentials between IT and OT networks. 
  • 80% of engagements were observed to have limited visibility into OT networks and systems. 
  • 83% of the vulnerabilities analyzed by the Dragos Threat Intelligence team were observed to be located deep within OT networks (Level 0 to 3 of the Purdue model). 

The four TSA requirements also align with the SANS Institute’s 5 Critical Controls for ICS/OT Cybersecurity with a focus on developing a defensible architecture, increasing OT visibility and monitoring, and implementing a risk-based vulnerability management program. 

How to Get Started Toward Compliance

Before any serious development on compliance with these requirements can be considered, it is vital that organizations have an accurate understanding of the critical OT cyber systems that are relied upon for normal operations.  Examples may include baggage handling, passenger processing / ticketing, or airport operations systems.  Without an accurate picture of what these systems (also known as the crown jewels) are and the critical endpoints that are responsible for their normal operations, it is incredibly difficult to design and implement the necessary security controls required to protect them. 

With a firm understanding of the crown jewels in hand, airports and aircraft operators can make informed decisions on the design and implementation of security controls to comply with the requirements of the TSA directive. 

Looking to the future, Dragos also recommends that airport and aircraft operators expand on the four requirements of the TSA directive and begin development of policies and procedures that have previously been issued to the oil and gas and rail transportation industries.

1 | Establish a Cybersecurity Incident Response Plan

Develop and implement a Cybersecurity Incident Response Plan to reduce the risk of operational disruption should IT and/or OT systems be affected by a cybersecurity incident.

2 | Establish a Cybersecurity Implementation Plan

Develop and implement a Cybersecurity Implementation Plan. This plan must describe the specific measures implemented by owner/operators to prevent disruptions to their infrastructure and/or operations. The implementation plan must also include the schedule by which the owner/operators will follow to implement the controls defined in the plan. The cybersecurity implementation plan must (at a minimum) include technical and procedural controls and measures for the following: 

  • Network segmentation policies and controls that ensure the OT system can operate safely in the event of compromise on the IT network. 
  • Access control measures to prevent unauthorized local and remote access to critical cyber assets based on the principle of least privilege and utilizing multi-factor authentication where technically feasible. 
  • Implementation of continuous monitoring and anomaly detection for critical cyber systems. 
  • Implementation of a vulnerability management program to address patch management for critical cyber systems including Operating System, applications, drivers, and firmware on critical cyber systems.
3 | Establish a Cybersecurity Assessment Program 

Develop and implement a Cybersecurity Assessment program. This program must document how an airport or air operator will proactively and regularly assess the effectiveness of the cybersecurity measures implemented as part of the Cybersecurity Implementation Plan.  The assessment program must include the following: 

  • A Cybersecurity Architecture Design Review (CADR) that verifies and validates network traffic and systems logs against existing documentation and identifies vulnerabilities related to network design, electronic access control and inter-connectivity between IT and OT systems. 
  • Incorporate any additional assessment capabilities to support identification of system vulnerabilities (e.g., penetration testing to assess an adversary’s ability to compromise OT systems following a breach of the IT network). 

How Dragos Can Help

Dragos Industrial Cybersecurity solutions can provide end-to-end support for airports and aircraft operators to interpret the security requirements. The Dragos Platform and Threat Intelligence offer the necessary monitoring, detection, and visibility required to comply with these security requirements; while Dragos Professional Services can identify crown jewels and address gaps in existing cybersecurity infrastructure and programs.  

If you’re interested in further guidance or support in implementing an OT cybersecurity strategy and how the Dragos Platform technology can help you effectively and efficiently reach compliance and security, connect with us at sales@dragos.com, reach out to your current account executive at Dragos, or use our contact us form. 

Related Posts

Ready to put your insights into action?

Take the next steps and contact our team today.

CONTACT US TODAY