The U.S. Transportation Security Administration (TSA) has shifted attention to the aviation industry as part of an ongoing effort to combat persistent cybersecurity threats against critical infrastructure. Under a just-released emergency amendment to existing aviation security programs, airports and airlines are required to develop an implementation plan to improve resilience and prevent operational disruptions resulting from a cyberattack.
The new requirements are considered to be additive to guidance already released by the TSA requiring baseline activities for operational technology (OT) environments such as the establishment of a security point of contact (POC), the implementation of a risk or vulnerability assessment to understand risks posed to their operational technology environments, development and adoption of a holistic incident response plan to include OT, and reporting significant cybersecurity incidents to the Critical Infrastructure Security Agency (CISA).
Here are some considerations and recommended approaches for meeting the four key requirements specified under the amendment:
1. Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an informational technology system has been compromised, or vice versa.
Segmentation starts with the basic assumption that all attacks are coming from the outside. This is not always the case. Recent attacks on industrial control systems make it clear that we’re living with a new reality today. We’re seeing more and more instances where adversaries are already inside trusted portions of a network and/or industrial control system (ICS).
The basic concept behind segmentation is to build networks with protective defenses that make it difficult to easily move from one system to another. The attack on Colonial Pipeline illustrates the importance of segmentation as a defense strategy. This attack began when the information technology (IT) system was compromised. Then, out of an abundance of caution — as it was unclear how the operational technology (OT) networks would be affected — the company elected to shut down the pipeline.
Airports and airlines are unique enterprises that are far more complex than many others. The OT systems that control everything from passenger boarding bridges to baggage handling depend on data generated by IT systems. This requires a level of IT/OT systems integration that will make it challenging to completely segregate the networks. But it is this complex integration of data access needed across the enterprise that can lead to operational or safety impacts if not properly designed.
But it should be recognized that the emergency amendment doesn’t mean the systems have to be physically separated. Rather, it should be interpreted to mean that the interfaces have to be digitally separated. Completely segregating airport and airline systems would be unrealistic. But it certainly does mean that safeguards have to be put in place.
Segmentation strategies can be implemented to deny access to attackers seeking to move from one system to another. It must be noted though that segmentation alone should not be deployed as a primary solution to combat cyber sabotage in an OT environment. While segmentation and signature-based prevention like IDS signatures, IPS and firewalls are necessary, they are insufficient on their own.
An assessment of infrastructure can determine the best strategy for implementing segmentation. For those systems that are already segmented, it is crucial to assess component configuration. ISA/IEC 62443 provides an excellent, standards-based approach to segmentation.
2. Create access control measures to secure and prevent unauthorized access to critical cyber systems.
Identity and Access Management are cornerstones of cybersecurity. Generally speaking, these are separate items because they are each that important. Knowing who has access and how and when they are working in the system has both cyber and physical security implications.
The physical security is addressed by giving only authorized personnel access to communication rooms, control rooms and network devices via physical access controls, such as automated access control system, locks and access tokens. Logical access controls require a combination of an identifier and authenticator, such as a login ID and password. This can be made more secure through the use of multifactor authentication and biometrics. With solid access controls, you can help ensure that any malicious action can be attributed to a particular user or at least to an account or an IP address.
There is a training component that is just as important. Authorized personnel need to understand strict protocols for sharing passwords and for creating strong passwords. The best security systems can be compromised by human mistakes, so training has to be thorough and required at regular intervals to address the evolving nature of potential exposures.
In the airport space, often vendors and third parties have access to IT and OT systems, which complicates the implementation and administration of cybersecurity practices and related training. Frequently, third parties are more than just software suppliers; They are responsible for administering and supporting specialized airport IT and OT systems. The principle behind this particular aspect of the emergency amendment is easy to understand, but the actual practice of applying it within an airport environment will be challenging given the sheer number of systems and responsible parties involved.
3. Implement continuous monitoring and detection policies and procedures to defend against, detect and respond to cybersecurity threats and anomalies that affect critical cyber system operations.
Threats are constantly evolving, and cybercriminals and malicious actors are finding new and creative ways to gain access to even the most secure networks. It’s a fallacy to assume your network will never be penetrated. If a determined attacker, particularly a nation-state actor, is behind the event, there is a high likelihood they will get inside the system.
This is why managed security services are becoming the order of the day. The industry is moving toward a mindset that assumes the adversary has already penetrated exterior defenses (via physical or logical means), and has taken residence in critical systems. Under those scenarios, the best practice is to adopt policies and procedures that build resiliency into the system, so that operators can continue their most critical business functions while under attack.
Many large hub airports may already have some monitoring and detection systems in place, though those systems are generally monitoring IT systems with little to no attention paid to the mission critical OT systems, including airfield lighting, automated escalators and people movers, baggage handling systems, central utilities plant, de-icing facilities, HVAC, fuel storage, life safety systems, power management systems, wastewater management, building management systems, camera systems and supporting infrastructure. The fragility of the aviation ecosystem will make this increasingly important. If a bad actor gained access to airport systems and changed flight data, for instance, it would have a cascading effect on many downstream systems that rely on that information, such as baggage handling, aircraft auto-dock and flight information displays — wreaking havoc on airport operations.
This illustrates why monitoring and detection capability is so important. What is the "defense" portion of this requirement? First, it starts with detection, and knowing the adversary is there. A triage of the event must occur, and the affected components must be isolated to prevent taking down the entire system.
With the complexity of the airport enterprise, we are not advocating a broad blanket solution. It is understood that there are certain systems that could go down and not pose a serious disruption to daily operations. A risk-based approach to cybersecurity is what is needed.
The emergency amendment appears to recognize this reality by specifically referring to “critical” cyber systems. The way forward will be for airports, airlines and private industry to work together to identify those systems that are the most critical and address those first.
Monitoring and detection will need to be calibrated so that it goes beyond just detecting clear instances of disruption but is also able to detect anomalous behavior that is just slightly out of the ordinary. Readings that seem strange or out of the norm should be flagged so that an operator is notified to investigate. This also means that these systems have to be continually maintained and finetuned. It is a given that without an active tuning program, the flood of events can overwhelm operators, resulting in events being ignored.
Time is of the essence during all attack scenarios. From initial access to a full breach, the time for a needed response is measured in minutes instead of hours. A detection capability that hunts and finds threats in real time is critical to stopping the breach. That is the key to containing and recovering from the attack quickly and with as little impact as possible.
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
Patches, or system updates present some unique challenges within an airport or airline enterprise. Put simply, if a patch exists, there is a known vulnerability. That guarantees that malicious actors know about it — as well as the widely-known means to exploit that vulnerability. The greatest defense against this is to have a comprehensive patching and update plan.
This means assessing relative risks of vulnerabilities in an operational network. This is key. No one has the resources or time to patch everything in real-time. Assessing and identifying the vulnerabilities that pose the most risk is key to reducing the attack surface.
Baselining of risk as the most basic and foundational piece of any OT cybersecurity program. ISA/IEC 62443-3-2 has a spectacular, standards-based approach for assessing risk, as does NIST and other standards as well.
There are now more innovative ways to address risk that is resident within an OT environment that do not require the traditional cyber hygiene approach for all aspects. There are ways to engineer out risks posed to the critical function or mission using either engineering, operational or support approaches.
There are key operational constraints that must be carefully managed with scheduling patches in an airport environment. Airports operate 24x7x365 and mission critical systems such as airfield lighting must remain operational nearly around the clock. The result is a limited maintenance window for OT systems to be patched or updated and virtually no margin for error if the updates fail.
Most airports have recognized this challenge and change control procedures are now in place to mitigate risk. For example, following a quality assurance process whereby system updates and patches are applied in a development or test environment first reduces the likelihood of inadvertently impacting production systems. This is likely to become standard practice in the aviation sector based on the language of the emergency amendment.
As the transportation industry evolves, the need for robust digital and physical security grows.