In the latest move from the Biden administration to strengthen cybersecurity protections for critical infrastructure operators, the Transportation Security Administration on Tuesday announced regulations to compel airports along with aircraft owners and operators to improve their digital defenses in the face of growing threats.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” TSA Administrator David Pekoske said in a statement. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
The announcement comes just days after the Biden administration released the National Cybersecurity Strategy that calls for more stringent regulations for critical infrastructure. TSA’s announcement also follows a move from the Environmental Protection Agency to introduce new rules for the water sector. TSA issued similar measures for the passenger and freight railroad carriers in October, and the National Regulatory Commission issued updated guidance as well for the first time in years.
TSA said it is taking “emergency action because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector.” Pekoske said last year that the transportation agency was working on new rules for the industry. Additionally, White House officials have previously held classified cybersecurity briefings with airline executives in September.
Aviation owners and operators that fall under TSA’s authority are already required to report cybersecurity breaches to the U.S. Cybersecurity and Infrastructure Security Agency, have an established cybersecurity point of contact, develop an incident response plan and complete a vulnerability assessment, according to the press release.
Airlines must now develop a TSA-approved implementation plan that describes the measures companies are taking to improve digital defenses. The plans require that aviation sector operators can safely operate if operational technology or IT networks are compromised, create measures to prevent unauthorized access to critical systems, implement continuous monitoring and detection policies and keep up with patching using risk-based methods.
While this latest rule does not appear to draw the ire of the aviation industry, according to the Washington Post, previous rulemaking from TSA for the pipeline industry drew such a harsh response from industry and experts the agency released updated security directive. TSA is also working on a more permanent rulemaking process for the pipeline industry to replace the security directives issued shortly after the Colonial Pipeline ransomware attack.