TSA Issues Emergency Cybersecurity Mandates for Aviation Sector
Given the risk of cyberattacks on critical infrastructure, the government is responding.
After the Colonial Pipeline attack, the TSA (yes, they are responsible for pipeline security-don’t ask) issued a somewhat misguided set of rules to pipeline owners. Those rules were updated a couple of months later, but at least there is some activity. Actually quite a bit. Here is one piece.
The TSA used its emergency powers to tell airports and aircraft operators to beef up their security.
Why? Well they are not saying in any detail, but they are saying that there is a PERSISTENT cybersecurity threat to U.S. infrastructure, including aviation.
Unlike the pipeline rules, at least parts of this order is public.
It will require the aviation sector to come up with plans to harden their networks in the face of ongoing attacks.
It will require them to separate (segment in technical terms) their office networks from the operational networks. Operational networks are those that keep the planes flying, the flight crews scheduled and bags moving. It also includes all those Internet of Things devices that they use.
Network segmentation has been considered best practice for years, but most companies whine that it is hard for them to segment their networks and they don’t want to. Now they will be pressured to do so.
The idea is that if their office network is hacked, as in the Colonial Pipeline case, it won’t automatically spread to the, in their case, pipeline network. That was that fear that had them shut down the operational network and cause panic on the East Coast.
They also have to beef up access controls (those rules that say who can access what), implement continuous monitoring and detection of threat and test the effectiveness of what they are doing. While all of this is harder to do on the operational network side, it is far from impossible and it is well known art on the office network side. They just aren’t doing that because, well, it costs money and they would rather spend that money on, say, things that seem more beneficial to the companies. As Southwest discovered last year, even though that was not a cyber attack, skimping on those invisible details can backfire. In their case, to the tune of over a billion dollars.
And, just like everyone else, the airlines and airports have heard about this thing called the Internet and they are embracing it. Of course, many of the systems they are using were never designed to be on the Internet, but, what could possibly go wrong.
The feds acted after the Russians attacked several airports, mostly embarrassing them by defacing their websites, but we don’t know what else they got into.
These new rules are in addition to requirements for proactive incident response plans, vulnerability assessments and a “one throat to choke” head of cybersecurity.
Given the release last week of the National Cybersecurity Strategy, expect more of this. While Republicans say regulation is not needed, there is no evidence to support that idea. After all, everything was secure during the last Republican administration, right? No cyber attacks, no breaches, all was good. Think Equifax (2017, 148 million people affected), WannaCry (2017, almost bankrupted many insurance companies), Marriott (2018, 500 million people affected) and too many others to mention.
Credit: SC Media