TSA, FAA Requirements Emphasize Cybersecurity for Airport and Aircraft Operators and Airport Terminal Projects: How Tenable Can Help
 
                                  
                The TSA and FAA are making cybersecurity a priority for airport and aircraft operators and for airport terminal projects to prevent disruption and degradation to their infrastructure. Here's what you need to know — and how Tenable can help.
The U.S. Transportation Security Administration (TSA) and the Federal Aviation Administration (FAA) are each taking steps to prioritize cybersecurity for the aviation sector.
On March 7, 2023, the Transportation Security Administration (TSA) issued new cybersecurity requirements in response to ongoing threats against critical infrastructure, including the aviation sector. The FAA, meanwhile, is requiring airport terminal projects to incorporate cybersecurity into their plans to be eligible for the discretionary grant program which offers funds to airport terminal operators.
The new TSA rules require airport and aircraft operators to develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their operational technology (OT) and IT infrastructure. The rules also require organizations to proactively assess the effectiveness of these measures. The plans must:
- Develop network segmentation policies and controls to ensure that OT systems can continue to safely operate in the event that an IT system has been compromised, and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implement continuous monitoring and detection policies and procedures to defend against, detect and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
These new TSA rules provide specific cybersecurity requirements designed to prevent and defend against cyberthreats. Previously, TSA required airport and aircraft operators to take basic steps, such as reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment.
Cybersecurity must be a consideration to receive FAA Airport Terminal Program funding
The FAA also prioritizes cybersecurity, stating that every aspect of its current strategy “considers ways to strengthen the agency’s overall approach to new technologies and actively engages in preventing future cybersecurity incidents.” In its FY 2023 Notice of Funding Opportunity for the Airport Terminal Program (ATP), the FAA is now requiring that applicants “must demonstrate … effort to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project.”
ATP is a competitive discretionary grant program that provides approximately $1 billion in grant funding annually for five years (fiscal years 2022-2026) to upgrade, modernize and rebuild airport terminals and airport-owned Airport Traffic Control Towers (ATCTs). The FAA recently awarded $1 billion in FY 2023 ATP grants to 99 airports across the country. A list of all of the FY 2023 ATP grantees is here.
Tenable OT Security enables airports and aircraft operators to identify and prioritize cyber vulnerabilities
Security and compliance for airports, aircraft operators and airport terminal projects all need to start with visibility. By getting an inventory of IT and OT assets on their networks, users can see a complete picture of the assets and how they are interconnected. Tenable’s Vulnerability Priority Rating (VPR) scoring generates vulnerability and risk levels using intelligence gained for each asset on the OT network. Reports include detailed insights, along with mitigation suggestions. This enables authorized personnel to quickly identify the highest risk for priority remediation before attackers can exploit vulnerabilities.
Tenable OT Security, previously known as Tenable.ot, offers comprehensive security tools and reports for IT and OT security personnel. With it, airport and aircraft operators gain unmatched visibility across IT/OT operations and deep situational awareness across all global sites and their respective assets — from Windows servers to PLC backplanes — in a single interface. Tenable provides complete visibility into your entire attack surface while measuring and controlling cyber risk across global OT and IT systems.
Airports and aircraft operators can use Tenable OT Security to protect their industrial networks from cyberthreats.
How Tenable can help states meet the new TSA cybersecurity requirements
Check out the table below to see how Tenable can help airport and aircraft operators meet the exposure management requirements included in the TSA’s cybersecurity requirements.
| REQUIREMENT NUMBER | CYBERSECURITY PLAN REQUIREMENT | TENABLE SOLUTION | 
|---|---|---|
| 1 | Implement network segmentation policies and controls to ensure that the OT system can continue to safely operate in the event that an IT system has been compromised. | Asset visibility in segmented OT networks: Segmenting a network limits how far an attack can spread by limiting access privileges. However, segmentation also limits visibility of devices. Tenable OT Security discovers how devices communicate and what protocols they leverage, providing a contextual asset inventory that is critical for securing an OT environment. Additionally, users can identify high risk IT assets an attacker would target and then prioritize actions to mitigate risk. | 
| 3 | Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and connect anomalies that affect operations. | Detect intrusions, anomalies and device configuration changes: Tenable OT Security leverages multiple detection methodologies to alert on threats coming from external and internal sources. It identifies changes made to controller configurations, even if done directly on the device by a human or malware. Tenable OT Security monitors for unauthorized changes and alerts key stakeholders. It provides extended information for a comprehensive audit trail, resulting in faster incident response and forensic investigations. | 
| 4 | Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology. | Identify known exploits and mitigate risk:Tenable OT Security offers complete visibility, security and compliance enabling airports and aircraft operators to mitigate risk. Tenable OT Security uses CVSS scores as a standardized view of vulnerabilities across the environment. In addition, a Vulnerability Prioritization Rating (VPR) helps practitioners identify the high risk systems and vulnerabilities to focus on, making the best use of your security team’s time during a maintenance window. | 
(Source: Tenable, April 2023)
Register now for our webinar 'New TSA Aviation Cybersecurity Regulations Have Landed. How Do They Impact Your Airport or Airline? Get Advice from Tenable and Brock Solutions' on May 18 at 2 pm ET.
 
Learn more
- TSA Press Release on New Airport Cybersecurity Requirements
- FY 2023 Airport Terminal Program
- FAA Strategic Plan for the 21st Century, FY22-26
- TSA Cybersecurity Directives
- National Cybersecurity Strategy
- NSTAC Report to the President on Information Technology and Operational Technology Convergence
- Forrester Wave Report for Industrial Control Systems (ICS) Security Solutions
 
- Federal
- Government
- OT Security
- Travel
 
        