TSA Cyber Roadmap to Reality

In the first of a three-part series, SDI’s aviation Subject Matter Expert Erin Manning, PMP, CISM, examines the state of cybersecurity in US airports, and steps to strengthen airports’ cyber posture.

Transportation safety and security programs have traditionally been focused on protecting and securing assets (i.e. physical security). In today’s technology landscape, safety and security must now add cybersecurity initiatives to their safety and security programs.

The Department of Homeland Security (DHS) is responsible for ensuring the safety and security of the United States from terrorist attacks and other disasters. Created in response to the 9/11 attacks, the Transportation Security Administration (TSA) is an agency of the U.S. Department of Homeland Security that has authority over the security of the traveling public in the United States. The Transportation Systems Sector (TSS) consists of aviation, highway and motor carrier, maritime transportation, mass transit and passenger rail, pipeline systems, freight rail, and postal and shipping.

Critical infrastructure operators, like airports, are attractive, high-value targets due to the many people, devices, and technology systems present. In the past decade, airports have exponentially increased their dependence on technology to manage processes, operations, and improve the passenger experience. Air travel involves data transfer with many stakeholders, including the airlines, the passengers, origin and destination airports, credit card companies, and more, as well as customs and border protection for international travel. The volume and variety of data are enticing as is the chance to cause social and economic chaos in a global transportation network by causing flight delays or stoppages and increased security responses.

While some cyber attacks are nuisance-level issues with simple and quick remediation, a sophisticated cyber-attack directed at a critical infrastructure operator like an airport – impacting its ability to provide service to a general population – could have ripple effects that can literally cripple a nation.

The September 2018 release of the National Cyber Strategy called for the Federal Government to “develop a comprehensive understanding of national risk by identifying critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks.”[1] In response, in November of 2018, the TSA released its first Cyber Security Roadmap which contains priorities and goals to align their cybersecurity efforts with DHS cybersecurity strategies to better protect the Transportation Systems Sector.

“The Cybersecurity Roadmap is a key piece of the TSA Strategy to improve security and safeguard the transportation system. The 2018-2026 TSA Strategy guides the agency through TSA’s 25th anniversary and identifies three strategic priorities: Improve Security and Safeguard the Transportation System, Accelerate Action, and Commit to Our People.”[2]


[1] Transportation Security Administration. (2018). TSA Cybersecurity Roadmap 2018: the United States, 2018. Retrieved from: https://www.tsa.gov/sites/default/files/documents/tsa_cybersecurity_roadmap_adm_approved.pdf

[2] Transportation Security Administration. (2018). TSA Releases Cybersecurity Roadmap National Press Release, 2018. Retrieved from: https://www.tsa.gov/news/releases/2018/12/04/tsa-releases-cybersecurity-roadmap


Aligning with the DHS Cybersecurity (in many places word for word), the Cyber Security Roadmap 2018 is a 5-year roadmap consisting of four priorities and six goals:

Priorities

  • Risk Identification
  • Vulnerability Reduction
  • Consequence Mitigation
  • Enable Cybersecurity Outcomes

Goals

  1. Assess and Prioritize Evolving Cybersecurity Risks to the TSA and TSS (Transportation Systems Sector).
  2. Protect TSA Information Systems
  3. Protect TSS Critical Infrastructure
  4. Respond Effectively to Cyber Incidents
  5. Strengthen the Security and Resilience of the Cyber Environment
  6. Improve Management of TSA and TSS Cybersecurity Activities

A roadmap, by definition, is a high-level overview discussing what is to be accomplished, but often provides little detail as to how. While this is the first step for TSA to include cybersecurity in its purview, the Roadmap contains little detail as to how the stated priorities and goals will be achieved.


[1] Transportation Security Administration. (2018). TSA Cybersecurity Roadmap 2018: the United States, 2018. Retrieved from: https://www.tsa.gov/sites/default/files/documents/tsa_cybersecurity_roadmap_adm_approved.pdf


Organizations that lack a formal cybersecurity risk management program could use the guidance to establish risk-based cyber priorities.”[1]

The assumption, then, is that the TSS is going to follow the program. But are they prepared and ready to mobilize a NIST-based program? What will be the impetus to drive awareness, urgency, and funding to cyber programs in our nation’s airports? How will non-regulated entities be handled?

While instances of airport cyber-attacks have not (at least publicly) been in the news, consider how today’s real-world cyber risks could impact an airport’s operations.

Read “The State of Cybersecurity in U.S. Airports” to examine how specific cyber attacks as reported throughout recent news would threaten the unique environment of an airport itself.


[1] Department of Homeland Security. (2018). Transportation Systems Sector Cybersecurity Framework Implementation Guide. Retrieved from: https://www.dhs.gov/publication/tss-cybersecurity-framework-implementation-guide


ABOUT SDI GUEST BLOGGER

Erin Manning is a Director of Learning at SDI Presence. A certified Project Management Professional (PMP) and Certified Information Security Manager (CISM), Erin is well versed in FAA/FAR/TSA Regulations with expertise in public safety and security systems. Erin has served as project manager on numerous aviation security projects including at O’Hare International Airport, Midway International Airport, Los Angeles World Airports, and Phoenix Sky Harbor.