In the latest move by the Biden administration to strengthen cybersecurity protections for critical infrastructure operators, the Transportation Security Administration announced regulations this past Tuesday to compel airports, aircraft owners, and operators to improve their digital defenses in the face of growing threats.
Protecting our nation’s transportation system is our top priority, and TSA will continue to collaborate with industry stakeholders across all modes of transportation to reduce cybersecurity risks and improve cyber resilience to support safe, secure, and efficient travel.
According to TSA Administrator David Pekoske, this amendment to the aviation security programs extends similar performance-based requirements that currently apply to other critical transportation system infrastructure.
The announcement comes just days after the Biden administration issued the National Cybersecurity Strategy, which calls for stricter regulations on critical infrastructure. In addition, TSA’s statement comes on the heels of the Environmental Protection Agency’s decision to implement new regulations regarding the water sector.
In October, the TSA issued similar measures for passenger and freight railroad carriers, and the National Regulatory Commission published the updated guidance for the first time in years.
The TSA stated it is taking emergency action due to persistent cybersecurity threats against critical infrastructure in the United States, including the aviation sector.
Pekoske said last year that the transportation agency was working on new industry rules. Furthermore, White House officials held classified cybersecurity briefings with airline executives in September.
According to the press release, aviation owners and operators must report cybersecurity data breaches to the US Cybersecurity and Infrastructure Security Agency, have an established cybersecurity point of contact, develop an incident response plan, and complete a vulnerability assessment.
Airlines must now create a TSA-approved implementation plan outlining their steps to strengthen their digital defenses.
The plans require aviation sector operators to be able to operate safely if operational technology or IT networks are compromised, to develop measures to prevent unauthorized access to critical systems, to implement continuous monitoring and detection policies, and to maintain patching using risk-based methods.
While this latest rule does not appear to enrage the aviation industry, the Washington Post reports that the TSA’s previous rulemaking for the pipeline industry drew such a harsh response from industry and experts that the agency issued an updated security directive.
TSA is also developing a more permanent rulemaking process for the pipeline industry to replace the security directives issued in the aftermath of the Colonial Pipeline ransomware attack.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.Get cybersecurity updates you\’ll actually want to read directly in your inbox.