A flight plan towards robust aviation sector security: TSA and FAA cyber security directives
Cyber security is a critical component of overall transportation security, given the increasing reliance on digital technologies and interconnected systems within the aviation industry.
The sector faces an ever-increasing need for comprehensive cyber security measures to protect critical systems and infrastructure from evolving cyber threats. In response, the United States Transportation Security Administration (TSA) and the Federal Aviation Administration (FAA) implemented regulatory requirements for aviation cyber security in 2023. The TSA requirements apply to both air carriers and airports, and the FAA requirements only apply to air carriers.
These new mandates aim to establish comprehensive cyber security programs to safeguard the aviation sector. Our blog explores the scope of these regulations, who needs to comply, and how organizations can navigate the path to compliance with the assistance of expert advisory services.
The TSA's Emergency Amendment (EA) is a direct response to the growing cyber security threats targeting critical aviation infrastructure in the US. It's part of the Department of Homeland Security's broader initiative to bolster the resilience of crucial infrastructure sectors.
On the other hand, the FAA's operational authorization requirement focuses specifically on aviation safety involving aircraft computer network security.
Who needs to comply with the TSA Emergency Amendment?
TSA Emergency Amendment (EA) Requirements: These regulations primarily apply to airports, air carriers, and those operating larger aircraft types, including those committed to the Department of Defense's Civil Reserve Air Fleet.
To comply with the TSA EA requirements, these entities must take the following steps:
1. Identify critical systems essential to the safe operation of aircraft and support infrastructure.
2. Develop and implement a Cybersecurity Improvement Plan (CIP) following TSA's guidelines, which include network segmentation, access control, continuous monitoring, and patch management.
3. Create and execute an annual Cybersecurity Assessment Plan (CAP) to evaluate the effectiveness of the implemented CIP.
Consequences of non-compliance
If an airport, air carrier, or operator does not comply with the new regulatory requirements, the TSA may take several actions: a warning letter, a fine, suspension, or revocation of the operating certificate.
Who needs to comply with FAA Operational Authorization?
FAA Operational Authorization: This requirement is geared towards Part 121, 121/135, 125, or 129 air carriers operating aircraft certified with a special condition for onboard computer network security.
To meet the FAA's operational authorization requirements and obtain OpSpec D301, carriers must:
1. Develop an Aircraft Network Security Program (ANSP) as outlined in Advisory Circular 119-1A and RTCA DO-355.
2. Perform regular risk assessments to identify and mitigate potential cyber security threats.
3. Implement controls for aircraft interfacing systems and establish processes for managing security events.
4. Provide comprehensive training and raise awareness about cyber security best practices among personnel.
Consequences of non-compliance
There are no surprises here, but if an air carrier does not comply with the FAA, the operator may receive a warning letter, a fine, or have their operating certificate suspended or revoked.
Turbulence-free TSA and FAA compliance
Understanding and meeting these complex regulatory requirements can be a daunting task, especially as cyber security threats become more aggressive and sophisticated and attacks in the sector are on the rise. The industry's safety and security rely heavily on organizations consistently meeting these core compliance measures across the entire aviation ecosystem.
"Occurrences of ransomware inside the aviation supply chain are up 600% [in 2022]."
Richard Puckett, Chief Security Officer – Boeing
To meet the cyber security requirements outlined in those recent documents, airports, airlines, and operators should consider implementing the following measures:
Robust cyber security controls: Implement robust cyber security controls and best practices to mitigate identified risks effectively from both an airport and airline infrastructure operations and aircraft operations perspective. This may include measures such as network segmentation, encryption, multi-factor authentication, and regular security patching, which are all crucial for protecting critical systems within airports and airlines.
Asset Management: Curate a thorough database of assets including up-to-date information about each device such as the MAC address, physical location, hostname, and any other information which can prove useful to identifying the asset on the network. For example, asset management records and practices will assist in implementing effective security controls such as physical and logical access controls to secure systems and devices such as Ground Support Equipment (GSE) and portable data loaders which may frequently change hands based on the various technicians on duty.
Network segmentation by functionality and trust zones: Segregate OT network segments, such as baggage handling systems, based on the specific functionality or operational requirements of connected devices and systems. For example, separate segments may be designated for control systems, monitoring systems, and data storage systems to minimize the impact of an attack on critical operations.
Virtual Local Area Networks (VLANs): Implement to logically separate devices and systems within the OT network. VLANs allow for the creation of distinct network segments without the need for physical separation, enabling better control over network traffic and access.
Firewalls: Deploy firewalls to enforce segmentation policies between different OT network segments and review firewall rules. Firewalls can be configured to allow or block traffic between segments based on predefined rules and policies, thereby reducing the risk of unauthorized access and lateral movement by cyber threats.
Access control lists (ACLs): Use ACLs to control the flow of traffic between different network segments. ACLs specify which devices or users are permitted to communicate with specific network resources, helping to restrict access to critical systems and prevent unauthorized interactions.
Network access control (NAC): Implement NAC solutions to enforce security policies and authentication mechanisms for devices connecting to various networks. NAC solutions can assess the security posture of connected devices and enforce compliance with security policies before granting access to the network.
Continuous monitoring and threat intelligence: Implement continuous monitoring and threat intelligence capabilities to detect and respond to cyber security threats in real time. This may involve the use of security information and event management (SIEM) systems, intrusion detection systems (IDS) to monitor traffic between OT network segments or wireless access points both on the ground and on the aircraft (for example), and threat intelligence feeds.
Regular auditing: Implement auditing practices to ensure the effectiveness of policies, procedures, and security controls comprising your Cybersecurity Implementation Plan and Aircraft Network Security Program. Regularly review network segmentation configurations, access controls, and security policies to identify and address any gaps or vulnerabilities that may arise over time.
Incident response planning: Develop and maintain an incident response plan to guide the organization's response to cyber security incidents promptly and effectively. This plan should outline procedures for incident detection, containment, mitigation, and recovery as well as reporting procedures to the TSA, FAA, and other relevant authorities as appropriate.
Vendor management: Implement rigorous vendor management practices to ensure that third-party vendors and service providers adhere to appropriate cyber security standards and requirements. This may include conducting regular security assessments and audits of vendors' systems and practices, particularly any related to remote access of IT and OT networks. This also applies to sourcing aircraft components and vendors supporting aircraft maintenance, repair, and overhaul activities.
Aviation cyber security experts
Addressing these unique challenges is where expert consulting and implementation services can provide invaluable assistance. At NCC Group, our dedicated transport practice has provided tailored solutions to help secure organizations for over 30 years.
We're well-positioned to help you achieve regulatory compliance against aviation sector standards, and there's plenty more we can do to help you achieve optimum levels of cyber security resilience to ensure the safety of your people and customers.
Our services include:
• Architectural Design Reviews.
• Threat Modeling.
• Safety assessments from our Adelard team.
• Developing and assessing security programs.
• Implementing continuous monitoring solutions in complex IT/OT environments.
• Third-party technical assessments (internal and external infrastructure assessments, network segmentation evaluations, wireless network assessments, web and mobile app testing, red & purple teaming exercises, and firewall & device configuration reviews).
Jeff Hall, Sc. D., CISSP, GISCP
Principal Security Consultant & Aerospace Lead, NCC Group NA
Driven by a passion for safe and secure operation, Dr. Jeffrey Hall has over 35 years of proven success working across private industry, DoD, and OGA aviation in the engineering, design, development, and integration of aircraft, unmanned systems, avionics, and OT systems. He’s developed a unique skill set of understanding the mission, embedded systems, cyber resiliency, and strong management and engineering skills providing comprehensive solutions to complex problems from initial design to end of life.
Dr. Hall was a recognized Navy Cybersecurity Safety (CYBERSAFE) aviation cybersecurity technical area expert and cyber warfare subject matter expert. He has extensive knowledge of cyber threats and is also skilled in adversarial cyber risk assessments and incident response (including SCADA/ICS/ embedded systems).
Get aviation cyber security consulting with a global reach and a personal touch.
We’ve developed a cyber security review aligned against the Part-IS (as well as covering FAA & TSA) standards to help your organization quickly and efficiently meet requirements. Reach out to one of our experts to help make sense of cyber requirements in the aviation sector.