TSA issues cybersecurity amendment for aviation industry

The Transportation Security Administration issued a cybersecurity amendment on Tuesday to strengthen protections for airport and aircraft operators.

The Transportation Security Administration issued a cybersecurity amendment on Tuesday to strengthen protections for airport and aircraft operators. Jeff Greenberg / Getty Images

The Transportation Security Administration has released a series of new performance-based cybersecurity measures for the aviation industry just days after the White House released its national cybersecurity strategy.

The Transportation Security Administration is aiming to improve cybersecurity resilience for airports, airlines and operators with a series of new requirements that focus on performance-based measures. 

TSA's cybersecurity amendment issued on Tuesday seeks to bolster aviation security and prevent unauthorized access to critical systems and data with measures like continuous monitoring and detection, network segmentation, access control and system patching. 

The requirements reflect the agency's latest efforts to increase cybersecurity defenses among critical transportation sector operators due to "persistent cybersecurity threats," the agency said in a statement. New cybersecurity requirements were also issued for passenger and freight railroad carriers in October 2022. 

TSA Administrator David Pekoske said in a statement that the aviation security programs amendment “extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”

The emergency amendment instructs TSA-regulated entities across the aviation sector to develop network segmentation policies and controls that allow operational technology systems to "continue to safely operate in the event that an information technology system has been compromised." 

It also instructs organizations to reduce risks of exploitation of unpatched systems with security patching while using a risk-based methodology to maintain updates for operating systems and firmware on critical cyber systems. 

The emergency amendment also follows last week's release of the national cybersecurity strategy, a sweeping plan that calls for increased regulation and a fundamental shift of liability onto software providers and technology firms. 

While airline owners and operators must report cybersecurity intrusions to CISA and develop their own incident response plans, the new requirements instruct aviation entities to also develop a TSA implementation plan.

The agency said it will approve implementation plans that describe steps entities are taking to improve its cybersecurity resilience, prevent disruption and proactively assess the effectiveness of those measures. 

The aviation industry faces a landscape of cyber threats that has constantly evolved and posed new challenges for airports and airlines. Airport websites across the country were the target of Distributed Denial-of-Service attacks last year that temporarily shut down access to a number of sites, while ransomware attacks and data breaches remained a majority of incidents impacting the industry since 2020, according to data published by SOCRadar.