The Department of Homeland Security (DHS) and its Transportation Security Administration (TSA) have issued a handful of sector-specific cybersecurity directives over the last eighteen months. The effort began as a response to the 2021 ransomware attack on the Colonial Pipeline, which became a catalyst for the first major security directive for pipeline owners and operators. This week, in response to persistent cybersecurity threats to critical infrastructure, including the aviation sector, the TSA has issued an emergency Security Directive for airports and aircraft operators.
Why Is TSA Issuing the Aviation Security Directive?
Recent cyberattacks have driven DHS to launch a series of 60-day cybersecurity-focused sprints to operationalize security efforts and raise awareness of key cybersecurity priorities, including airlines and airport operations. Like other critical infrastructure sectors, there’s a push for each entity to make their operations a less-lucrative target – reducing risk and raising costs for would-be attackers. With threat actors specifically looking to target major airlines with ransomware, the aviation sector is realizing that it may only be as strong as its weakest link.
The weakest link in an organization may be a compromised cyber-physical system, broad access to a component of operations that enables remote access or unnecessary internet connectivity, or an IT system critical for business operations.
New Requirements for Airports and Airlines
The TSA’s new emergency amendment requirements are designed to strengthen cybersecurity resiliency by focusing on performance-based measurements. TSA-regulated airport and aircraft operators must develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. They must also proactively assess the effectiveness of these measures, including:
- Develop network segmentation policies and controls to ensure that OT and IT systems can continue to operate if either has been compromised;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
How Nozomi Networks Addresses the TSA Aviation Security Directive
Nozomi Networks is in an ideal position to help comply with the new TSA guidelines not only because of our focus on securing critical physical infrastructure and operations from cyberattacks, but also our alignment with the breadth of both initial requirements, as well as more advanced technical recommendations covering everything from asset visibility, threat detection and reporting on remediation efforts.
Continuous monitoring for threats in these operational networks will require some new focus or technology. In many cases, airports/airlines are monitoring attack surfaces in the network or on endpoints to the extent they can be monitored. Nozomi Networks helps with a focus on monitoring threats in operational devices, with awareness of attack vectors and industry-specific protocols that will be critical to meet the guidelines.
Timely patching of vulnerable systems will require organizations to do a much better job of managing assets and awareness of vulnerabilities. Staying on top of emerging zero-day threats and newly discovered CVEs in a wide range of devices is onerous work that is often overlooked. When you’ve got hundreds or thousands of vulnerable devices, you need a system that can prioritize patch update policies and efforts to manage risk most effectively. Organizations will have to rely on multiple information sources to keep up with known vulnerabilities since they aren’t doing this research themselves.
Nozomi Networks has a three-pronged platform for:
- critical infrastructure asset and vulnerability management
- anomaly and threat detection, and
- forensic analysis tools.
We help organizations identify, classify, and actively monitor all their systems automatically, by device type, location, function, and sensitivity. Within our framework it is easy to visualize networks and devices categorized by operational and monitoring functions and to keep them up to date. With Nozomi Networks, operators can quickly visualize all the OT and IoT vulnerabilities in the network, prioritize which vulnerabilities pose the greatest risk, and assess the level of effort to address the issues network-wide. We provide:
- Actionable insights on remediation steps, patches, and upgrades.
- Built-in analytics scores that highlight which corrections will have the biggest impact on risk reduction, as well as identify which may be more labor-intensive.
The Nozomi Networks platform leverages an AI-driven threat detection engine that analyzes endpoint and network configurations, traffic flows, and network packet contents to provide the deepest and most sophisticated insights for OT networks in the industry.
This TSA security directives address the early phase of most cybersecurity maturity models, focusing on network segmentation, access controls, and network monitoring, as well as asset management best practices, proper documentation and incident response communication and response procedures.
Nozomi Networks can help with the most advanced OT, ICS and SCADA vulnerability management and threat detection capability in the industry. Our knowledge of specific network protocols and device behavior allows us to quickly identify anomalies and to provide actionable efforts towards remediation.