Experts push back against TSA’s 24-hour cybersecurity incident reporting rule for aviation industry

Aviation companies are pushing back against efforts by the Transportation Security Administration (TSA) to require that all cybersecurity incidents be reported to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

The TSA — part of the Department of Homeland Security (DHS) — began receiving feedback from industry on new cybersecurity regulations passed in December.

The agency’s updates on its aviation security programs required every airport and airline operator to designate a cybersecurity coordinator and report cybersecurity incidents to CISA within 24 hours.

The TSA has faced significant backlash this year over cybersecurity regulations passed for the pipeline industry, which experts have called too prescriptive. The agency eventually revised those pipeline rules in June, telling The Record that it wanted to provide the “flexibility needed to ensure advances in cybersecurity through technological improvements.”

Cybersecurity experts working with airlines have said they expect companies in the aviation sector to challenge the 24-hour reporting rule. The rule – which has also been applied to pipeline operators – originally set a 12-hour deadline, but was doubled following backlash from the pipeline industry.

Padraic O’Reilly, co-founder of cyber risk management firm CyberSaint, works with several airlines who “still find that time frame too short to classify whether something is an incident.”

As they increasingly try to impose stricter guidelines, many governments are struggling to define what types of attacks would meet the reporting threshold.

For example, the level of analysis – whereby hackers monitor systems but steal nothing – performed by nation states and cybercriminals would make reporting every incident an unnecessary burden on resource-strapped government agencies, said several business groups to the Indian government in May after it instituted a 6-hour incident reporting measure for big tech companies.

Many companies also don’t have full-time security staff, so it can be unclear when the real 24-hour clock will start.

O’Reilly explained that the other provisions of the measure – requiring a cyber coordinator, an incident response plan and vulnerability gap assessments – were “either already in place or relatively uncontroversial”.

‘Non Aligned’

The International Air Transport Association (IATA), the largest trade body representing airlines in the world, has been a powerful voice in the debate over the industry’s approach to cybersecurity.

It is in the process of developing an industry-wide aviation cybersecurity strategy and has created several formal and informal aviation cybersecurity working groups.

IATA’s Perry Flint told The Record that effective cybersecurity “requires close and meaningful collaboration between industry and government stakeholders.”

“Unfortunately, in the case of the recent TSA cybersecurity directive, while there has been outreach and consultation, it is not clear that industry input and expertise has made its way into the guideline,” he said.

“For example, the definitions of certain terms are not aligned with international guidance and recommendations, even though the United States is a member of the International Civil Aviation Organization (ICAO).”

Flint would not elaborate further on the conditions involved or any other issues the association may have with the TSA measures.

A recent report revealed that there were 62 ransomware attacks against global aviation players in 2020 alone, and the value of ransom demands broke records in 2021.

O’Reilly noted that the TSA is in the early stages of establishing regulations for the aviation industry and has yet to issue guidance to aviation organizations that resembles the type of prescriptive requirements issued for pipelines.

He suggested that the first set of rules was an attempt by the TSA to gain buy-in before issuing stricter rules.

Grant Geyer, chief product officer of operational technology security firm Claroty, said that for pipelines, the TSA was largely focused on implementing segmentation, access control and monitoring, while that rail and airline guidelines focused more on staff availability, incident reporting and incidents. response plans.

Part of the focus on segmentation is due to real-world events: one of the reasons the Colonial Pipeline attack wasn’t worse was the separation of the business network and operational technology networks from the pipeline.

The airline industry faces a more varied threat landscape comprised of ransomware groups seeking to cripple operations, nation states interested in stealing customer data, and scammers spoofing websites.

“For rail and air, the goal was to improve response and remediation efforts, while the pipeline directive was a direct response to a specific crisis (the Colonial Pipeline ransomware attack)” , said Geyer.

“This crisis has highlighted the pipeline sector’s ties to economic and national security. That being said, the rail and air sectors could have an equally huge impact on national security, economic security, and public safety if there were a Colonial Pipeline-like compromise.

CyberSaint’s O’Reilly said the aviation industry faces the same kinds of threats as other industries, but noted particular fears about ransomware due to the ramifications of extended downtime potentially caused by attacks.

The European Air Traffic Management Computer Emergency Response Team (EATM-CERT) found that the number of reported cyberattacks among airline industry organizations increased by 530% between 2019 and 2020. The organization has tracked dozens of attacks on airports and airlines over the past six months.

Accelya – a technology company providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many others – confirmed on Tuesday that it was suffering from a ransomware attack affecting its systems. Accelya provides passenger, cargo and industry analytics platforms for airline retail and works with more than 250 airlines in nine countries.

In May, SpiceJet Airline in India and a Canadian fighter jet supplier were both hit by ransomware attacks.

One of the factors affecting TSA rulemaking is the makeup of operating technology environments, which vary widely across industries, according to Geyer. Despite the differences, he said, the TSA will need to provide more standardized recommendations across critical infrastructure sectors, as well as reconcile the differences between its two guidelines.

Overall, the rules will give the TSA and CISA more visibility into the state of cybersecurity and the activity of threat actors within the industry, O’Reilly explained.

The data will allow agencies to further tailor their support based on the type of attacks organizations face, which can help the industry mature.

“It’s really a feedback loop,” he said. “If the industry is able to step up its reporting, CISA will be able to provide resources and information to other players more quickly.”

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Comments are closed.