The Transportation Security Administration on Tuesday announced regulations to force airports, along with aircraft owners and operators, to improve their digital defenses in the face of growing threats. This is the Biden administration’s most recent effort to strengthen cybersecurity protections for operators of critical infrastructure.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure, and efficient travel,” TSA Administrator David Pekoske said in a statement. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
Only a few days before the TSA announcement, the Biden administration released The National Cybersecurity Plan, which calls for stricter restrictions for critical infrastructure. In addition, the Environmental Protection Agency’s announcement of additional regulations for the water industry came earlier this week, as well. In October, the TSA announced comparable measures for passenger and freight railroad operators and is now focusing on the aviation sector.
According to the press release, aviation owners and operators that fall under TSA’s requirements are already required to develop an incident response plan, conduct a vulnerability assessment, have a designated cybersecurity point of contact, and report cybersecurity breaches to the U.S. Cybersecurity and Infrastructure Security Agency.
Airlines are now required to create a TSA-approved implementation plan outlining the steps they are taking to strengthen their digital defenses. In accordance with the plans, aviation sector operators must be able to continue operating in a secure manner even if their operational technology or IT networks are compromised, develop strategies to prevent unauthorized access to vital systems, put continuous monitoring and detection procedures into place, and maintain patching using risk-based techniques.
According to the Washington Post, the aviation business does not appear to be upset by this current rule.