New TSA Emergency Cybersecurity Requirements for Aviation Sector Will Drive New Business for System Integrators, OEMs, and Software Developers

The U.S. Transportation Security Administration (TSA) unveiled an emergency amendment this week requiring airports and aircraft operators to develop an approved “implementation plan” in the face of “persistent cybersecurity threats against United States critical infrastructure, including the aviation sector.” The amendment comes on the heels of increasing U.S. government involvement in transportation cybersecurity regulation. Last October, the TSA issued a similar directive for railroad carriers, asking them to implement similar measures to those in its new aviation regulation.

The TSA aviation directive includes four main measures expected from airlines and airports:

1. Implement network segmentation to ensure that Operational Technology (OT) systems can safely operate if an Information Technology (IT) system has been compromised, and vice versa.
2. Implement access control measures to secure and prevent unauthorized access to critical cybersystems.
3. Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations.
4. Reduce the risk of unpatched systems by implementing security patches and updates for Operating Systems (OSs), applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

When compared side by side, both the 2022 rail requirements and the 2023 aviation requirements are almost identical. They both call for segmentation, access control, continuous monitoring and timely patching strategies. Both requirements indicate the government’s expanding regulatory footprint in critical infrastructure, including transportation.

The aviation industry is becoming increasingly digitized to maintain efficiency and customer satisfaction. An Atlantic Council special report back in 2019 indicated the looming threats emanating from an expanding cyberattack surface due to digitization in the aviation industry. The report predicted that increasing wireless connectivity and a complex operational environment, alongside increasingly determined and belligerent attackers, means the typical physical controls providing safety in the sector could be compromised. Recent Distributed Denial of Service DDoS attacks on airports in Germany and the United States leading to website downtime and passenger confusion, suggest the sector is no longer insulted from cyberthreats.

This week’s TSA directive should be viewed in light of growing connectivity and increasing risks in the sector, as reports like the Atlantic Council’s predicted. The requirements also demonstrate government activism in a sector long thought to be immune from cyberthreats. This was especially the notion among industry insiders who stated it was not possible to hack aviation systems due to airgaps and hardware guarantees in plane avionics systems where software changes cannot be uploaded to avionics systems while a plane is in flight.

Though it is true that no hacker has ever infiltrated flight control systems and avionics, cyber researchers have warned that hacking these systems is possible. In 2015, the Federal Bureau of Investigation (FBI) alleged that famous hacker and security researcher Chris Roberts briefly controlled a plane by exploiting its security vulnerabilities. Regardless of the feasibility of hacking sensitive air control and avionics systems, attacks targeting airports have skyrocketed in recent years, leaving passengers stranded and ticketing systems paralyzed. These days, modern airports basically function like smart cities and involve various critical operations, including power generation, local transportation systems, waste collection, traffic management, and massive IT systems. New regulation, such as the TSA directive, signal increasing government intervention in this domain. Regulation is one of the most important reasons for increases in cybersecurity spending, and therefore, the directive hints that the aviation sector will become a major customer of cybersecurity services and cyber-hardening of aviation technologies.

The aviation sector’s increasing reliance on connected technology and an assortment of complex systems, coupled with government cybersecurity activism, will provide a ripe opportunity for system integrators to provide solutions for the aviation sector based on existing products. Integrators need to show that their solutions adequately address both the security concerns of their clients and new regulations like the TSA aviation requirements.

As the aviation sector becomes increasingly connected, Industrial Control System (ICS) Original Equipment Manufacturers (OEMs) will need to emphasize embedded security in their equipment that can lead to partnerships with software developers and OT cybersecurity companies that provide device testing. The new directive’s emphasis on system segmentation means cybersecurity vendors should market their firewall solutions to the sector, while hardware providers have an opportunity to provide physical network security appliances and gateways to monitor and filter data traffic. The directive’s access control measure contributes to both physical access control, such as biometric technologies, and network access controls like the use of Virtual Private Networks (VPNs), endpoint security software, and password managers.