The Transportation Safety Administration is recognizing that airports need increased cybersecurity to match that of rail networks and other critical infrastructure.

The TSA issued cybersecurity requirements for airports and aircraft operators in a press release dated March 7, 2023, to implement a plan to begin addressing risks. These include:

1. Separate networks so that if one system is compromised, others remain secure.
2. Secure critical systems by preventing unauthorized access.
3. Implement ongoing monitoring to detect and respond to cybersecurity threats.
4. Regularly apply security patches and updates to reduce the risk of exploitation.

It is likely that the TSA will broaden those requirements to match its existing cybersecurity requirements for rail and other operators per SD 1580/82-2022-01A.

Things you can do today

1. Adopt a comprehensive Incident Response Plan.
   1. You can find decent templates online, and we’ve put together templates here - cyberpolicies.io
2. Secure your systems and applications
   1. For your critical apps, make sure accounts and data security settings are appropriate. We have steps for a dozen plus apps - securemyapps.io

Comprehensive Security and Preparedness Framework

There are numerous cybersecurity frameworks out there from NIST and others you may already be tracking. To summarize and break things down pragmatically, start mapping out the following.

1. Foundation & Planning
   • Groundwork: Risk Management & Assessment
     • Establish a risk management process
       • Volumes have been written on this. Regularly consider your data and systems, how things can go wrong, and how to mitigate them.
     • Then do this regularly
       • Regularly re-assess and update plans and inventory. Test your controls and assumptions.
   • Create a Plan: Security Policies & Procedures
     • Create security response plans, defining roles and responsibilities
       • You can find decent templates online, and we’ve put together templates here: https://cyberpolicies.io/
   • Find your Systems: Network & System Mapping
     • Draft technology diagrams to map current infrastructure
       • Visualize and inventory your systems. Pencil and paper or Xcalidraw.
   • Controls, Patching, Backups
     • Implement a backup strategy with offsite replication and regular testing
       • Table stakes for critical operations. Test them.
     • Set up automated patching cycles
       • Externally facing systems get patched today.
     • Establish access control measures with least privilege principles.
       • Appropriate role-based access and standard Windows accounts are required.
       • Ask yourself what happens when your admin or IT accounts are breached?
2. Incident Response & Testing
   • Prepare for the Unexpected: Incident Response Plan (IRP)
     • Define clear roles and establish escalation paths
       • A playbook you can quickly run through in the event of an incident will save you headaches. See again https://cyberpolicies.io/.
     • Conduct tabletop exercises to validate and refine the IRP
       • Everyone’s got a plan until they get punched in the face. At the very least, talk through an incident with the right people in the room.
   • Find the Gaps: Vulnerability & Penetration Testing
     • Perform vulnerability assessments, harden configurations, and conduct penetration tests to uncover and address security gaps.
       • Once you have technical controls in place and a modicum of security hardening, it may be worth bringing in expert assessors to find gaps. Spend your resources preparing well before penetration testing.
   • Test Assumptions: Purple & Red Team Exercises
     • Test your hypotheses, find hidden attack paths and your EDR capabilities with simulated attacks.
       • Are your EDR and MSSP doing what you expect?
       • Grading your own homework isn’t a recipe for resilience. Bring in support to check for hidden risks.
3. Training & Awareness
   • OSHA Training for Technology: Security Training Program
     • Maintain a security training program for users, admins, and finance
       • Phishing training has mixed results, but scam and BEC training will be useful, along with configuring endpoint controls to limit likelihood.
4. System Security & Monitoring
   • Critical Systems Inventory & Security Architecture
     • Catalog critical systems, identify zones and connections
       • Use the inventory and map created earlier to make sure you understand critical systems and entry points.
     • Secure facility access with physical inspections and background checks.
       • Is access limited? Can badges be cloned?
   • Logging & Monitoring
     • Design a logging architecture that balances comprehensiveness with noise reduction
       • You can gain considerable insight for free with appropriate Sysmon and Windows Event Forwarding configurations
     • Optimize existing logs for actionable insights.
       • Ask how attackers are actually working and configure logs and alerts appropriately to avoid alert fatigue

As with any cybersecurity program, you’ll want to eat the elephant one bite at a time. Fortunately, much of this can be done with your current providers and some strategic initiatives.

While vendors may want to sell you solutions for each item on this, much can be done for free or at a low cost with built-in capabilities.

If you need additional services, you can get a ballpark on their cost without the sales process here: cyberprices.io.

Resources

1. Surface Transportation Vulnerability Assessments and Security Plans (VASP) - Proposed Rule 12/20/2016
2. Enhancing Surface Cyber Risk Management - Proposed Rule 11/30/2022
3. If you’re getting federal funds through the Airport Terminal Program, FY 2023 Funding Opportunity, you need to “consider and address physical and cyber security risks,” which includes developing an incident response and reporting plan and performing a risk assessment.
4. CISA Performance Goals (pdf)

‍