By: Chuck Mackey, Director of Cybersecurity Consulting, Fortress Security Risk Management
It’s a sad and dangerous fact: cyber-attacks on airports and airlines are increasing in frequency, sophistication, and severity. Here is a small, recent sample:
- The South Carolina Department of Revenue reported a cyber-attack that impacted several airports in the state, including Charleston International Airport and Greenville-Spartanburg International Airport.
- Kansas Department of Transportation reported a cyber-attack that affected the computer systems at Wichita Eisenhower National Airport and three other airports in the state.
- The Metropolitan Nashville Airport Authority reported a cyber-attack that impacted its website and other computer systems.
- The Port of Seattle reported a cyber-attack that affected its email system and caused flight delays at Seattle-Tacoma International Airport.
There are over 19,500 airports in the United States according to the Federal Aviation Administration (FAA)1 including public, private, and military. The FAA directs over 45,000 commercial flights per day throughout the U.S. To suggest that aviation security—physical and digital—is important, is a dramatic understatement.
Aviation is a powerhouse contributor to economic growth, supporting over $3.5 trillion to worldwide Growth Domestic Product (GDP). Employment is estimated at 65 million globally. Aviation provides military protection, transports freight, supports tourism, and provides health and humanitarian aid to all parts of the world. It is safe to say global economies would grind to a halt without aviation. Many of us experienced this during the primary months of COVID.
Knowing this, how does a country, let alone a community, deal with the real threats to aviation? Cyber-attacks, along with a list of man-made and natural causes, directly impact peoples’ ability to freely to move about the country.
The U.S. created the framework and the cross-collaboration mechanisms to work with the private sector to address the most pressing security and business continuity issues that face aviation specifically and transportation, in general. This white paper reviews the national approach to aviation safety within the identified sixteen critical industry sectors, as well as providing insight into the framework and what Fortress Security Risk Management envisions as the most appropriate security measures for aviation safety.
Critical Infrastructure Protection (CIP) was recognized as a U.S. national priority in 1998 by then-President Bill Clinton, Executive Order 13010, establishing the Commission on Critical Infrastructure Protection. The written document is the National Infrastructure Protection Plan (NIPP).
A key objective of NIPP emphasized the creation of partnerships between government (federal, state, local) and the private sector. Today there are sixteen (16) critical infrastructure sectors as identified and focused on by the Cybersecurity & Infrastructure Security Agency (CISA).2 Beyond CIP, CISA developed and published the CISA 2023-2025 Strategic Plan.3
The Transportation Systems Sector (TSS) has always been a CIP priority sector. DHS4 and the Department of Transportation5 are formally designated as co-sector risk management agencies for transportation. This includes Aviation, Highway and Motor Carriers, Maritime, Mass-transit and Passenger Rail, Pipeline Systems, Freight Rail, Post/Shipping. It is evident Transportation has far-reaching ramifications for citizens, communities, and other key stakeholders both nationally and internationally.
Within TSS are resources and working groups that enable transparency, accountability, and the framework for advancing the mission and objectives of the TSS CIP. To safeguard the nation’s transportation infrastructure, this framework centers on threat identification and protection concerning acts of terrorism, natural disasters, and cyberattacks.
At a high level, TSS CIP most relevant principles are:
- Risk assessment: A risk assessment is conducted to identify the potential risks and vulnerabilities of the transportation infrastructure. This helps to determine the appropriate measures to mitigate and prevent these risks.
- Coordination and collaboration: Emphasize the importance of coordination and collaboration between federal, state, and local agencies and the private sector, to enhance the security of transportation infrastructure.
- Physical security: The need for physical security measures, such as physical access control, perimeter security, and surveillance systems, to protect critical transportation infrastructure.
- Cybersecurity: Recognize the expanding threat landscape of cyber-attacks on transportation infrastructure and to prioritize the need for robust cybersecurity measures to prevent, detect, and respond to these attacks.
- Emergency preparedness: The importance of emergency preparedness and response planning to ensure that transportation infrastructure can continue to operate in the event of a crisis.
- Training and education: Addressing the importance of training and education programs to enhance the skills and capabilities of transportation industry personnel to identify and respond to threats, and to create awareness for the user population of transportation services.
- Continuity of operations: Continuity of operations planning to ensure that critical transportation infrastructure can continue to operate during and after a crisis.
TSA Amends Cybersecurity Programs for TSA-regulated Airports and Airport Operations
Earlier this March, in direct response to increasing persistent cyber-centric threats, TSA issued an amendment to cybersecurity protection programs for airports and operations to bolster measures for cybersecurity, protect against infrastructure disruption, and to proactively assess their current-state efficacy toward cybersecurity compensating controls. This follows closely on similar measures outlined in October 2022, to passenger and freight rail carriers.
David Pekoske, TSA Administrator, said, “This amendment to the aviation security program extends similar performance-based requirements that currently apply to other (TSS CIS).”
Fortress Security Risk Management Analysis
A key requirement for the aviation industry is to implement stronger cybersecurity measures to protect against specific cyber threats and attacks, including ransomware attacks, phishing attempts, and other malicious activities. This includes implementing advanced security protocols, such as multi-factor authentication (MFA), data encryption, and real-time threat monitoring and response.
Aviation industry stakeholders must establish a robust Incident Response plan that outlines the necessary steps to take in the event of a cyber-attack. This includes having clear lines of communication and coordination between all relevant stakeholders, including airline operators, airports, government, legal, and law enforcement agencies, as necessary.
In further research, we found aviation industry experts are saying this amendment is long overdue and should have been something airports and operations have been doing for years.
Emphasis on aviation is a direct result of the aggressive focus by the current White House Administration on cybersecurity.
Substantiated through our work with various TSS organizations, including airports and over-the-road carriers, Fortress Security Risk Management sees the following compensating controls as must-haves to meet minimum conditions set out by this new amended agenda:
- Develop Network Segmentation Policies and Controls: Airlines and airports are responsible for the continued operation of safe services in the event their information systems have been hacked.
- Create Access Control Measures: Mandate the implementation of technologies and cyber best practices that ensure only those that are supposed to have access to information systems are properly authenticated and authorized.
- Implement Continuous Monitoring and Detection Policies and Procedures: Airlines and airports are responsible for making sure they update and implement the proper tools and procedures that enable them to “defend, detect, and respond” to cyber-attacks.
- Cyber Hygiene: The required implementation of software patches and updates to be monitored and implemented in a “timely manner using a risk-based methodology.”
- Device Security: Calls for the implementation of proven Endpoint Detection and Response (EDR): Utilizing bonafide behavioral-based detection systems that go beyond simple anti-virus tools.
- Maturity and Capability: Proactive, ongoing assessment measured against an established framework6 (NIST, ISO, CIS, etc.)
Fortress Security Risk Management protects companies from the financial, operational, and emotional trauma of cybercrime by enhancing the performance of their people, processes, and technology.
Offering a robust, co-managed solution to enhance an internal IT team’s capability and capacity, Fortress Security Risk Management features a full suite of managed security services (24/7/365 U.S. based monitoring, cyber hygiene (managed patching), endpoint detection and response (EDR), and air-gapped and immutable cloud backups) plus specialized services like Cybersecurity-as-a-Service, Incident Response including disaster recovery & remediation, M&A cyber due diligence, GRC advisory, identity & access management, threat intelligence, vulnerability assessments, and technical testing. With headquarters in Cleveland, Fortress supports companies with both domestic and international operations.
In Case of Emergency:
Cyber Attack Hotline: 888-207-0123 | Report an Attack: IR911.com
For Preventative and Emergency Resources, please visit:
1FAA: The Federal Aviation Administration (FAA) is the largest transportation agency of the U.S. government and regulates all aspects of civil aviation in the country as well as over surrounding international waters.
2CISA: Home Page | CISA
3CISA Strategic Plan: 2023-2025 Strategic Plan | CISA
4Department of Homeland Security: Home | Homeland Security (dhs.gov)
5Department of Transportation: Department of Transportation
6Security Framework: A defined approach to understanding an organization’s current risk profile and establishing a plan of action and roadmap for remediation.