In March 2023, the Transportation Security Administration (TSA) issued a new cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced in October 2022 for passenger and freight railroad carriers making a significant shift in the aviation industry's approach to cyber threats. These regulations mandate implementing robust cybersecurity measures, including developing incident response plans, using multi-factor authentication, and regular vulnerability assessments.
These requirements have a profound impact and compel operators to prioritize cybersecurity alongside physical security measures. The TSA aims to mitigate the potentially devastating cyber-attack risks by enforcing a standardized approach. These attacks could disrupt operations, compromise sensitive data, or even endanger passenger safety.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” says TSA Administrator David Pekoske.
Moreover, these requirements were strengthened to help foster a culture of cybersecurity awareness and resilience across the aviation sector. Operators must take a proactive stance, investing in advanced technologies and cybersecurity training for their staff to ensure they are equipped to handle potential threats. This aims to protect the integrity of airport and aircraft systems and build passenger trust in air travel safety.
So, how is the industry doing? According to a new report, The Cyber Risk Landscape of the Global Aviation Industry, 2024, issued by SecurityScorecard, the latest research aims to elevate the discourse on supply chain cyber risk, emphasizing the need and best practices for comprehensive cybersecurity monitoring across the aviation sector. With input from 250 leading global aerospace and aviation companies, including 100 top commercial passenger airlines, security researchers thoroughly examined cybersecurity vulnerabilities across the airline industry and its various supply chains.
Because the aviation industry has traditionally focused on physical security threats, recent revelations about Boeing's supply chain risks have highlighted the critical need to measure and mitigate supply chain risk and integrate emerging cybersecurity mitigation strategies with a legacy physical security policy.
“The aviation industry operates on a complex web of partnerships, but a company's security is only as strong as its weakest link. Our research shows airlines are flying blind on third-party risks. It's time for the industry to take control and prioritize robust security measures across their entire ecosystem before turbulence turns into a disaster," says Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard.
The research spotlights six key findings.
● The aviation industry scores a "B” on cybersecurity: The aviation industry scores a "B" on average. While this isn't a failing grade, significant disparities exist. Organizations with a B rating are 2.9x more likely to be victims of data breaches than those with an A rating.
● Vulnerability of IT vendors and airlines: Notably, aviation-specific software and IT vendors score the lowest, with a mean score of 83, posing substantial third-party risks for their airline customers. By the same token, customers can also pose third-party risks for their vendors.
● Impact of third-party breaches: 7% of companies in the sample publicly reported breaches in the past year; 17% had evidence of at least one compromised machine in the past year. In addition, airlines had 4% more breaches than the industry benchmark due to vulnerabilities in lower-scoring vendors raising their third-party risks.
● Global disparities at the nexus of cyber and geopolitical threats: Advanced economies like Western Europe and Australia achieve better cybersecurity outcomes, with scores significantly higher than emerging markets.
● Ransomware is a top threat: Ransomware is the dominant theme in public reporting of attacks on this industry. Ransomware operators actively targeting the aviation industry have included BlackCat, LockBit, BianLian, and Dunghill Leak.
● Correlation with performance: Top-performing airlines, as ranked by industry and consumer standards, have above-average security scores, indicating a link between operational excellence in general and cybersecurity performance in particular.
What remedies can be applied to meet these cybersecurity challenges based on these major risks? The study concludes that software and IT vendors focus on mitigating risks from software and IT vendors, which pose the highest third-party risks, and expand third-party risk management to include customers and other partners in programs to cover the full spectrum of potential threats.
Other recommendations include enhancing the protection of key data by implementing robust defenses around aerospace intellectual property and passenger data, which are high-value targets for cybercriminals and state-sponsored actors, and also avoiding paying ransoms to prevent further incentivizing attacks and comply with legal restrictions.
Overall, the TSA's cybersecurity requirements signify a crucial step towards fortifying the aviation industry's defenses against evolving cyber threats, reinforcing its commitment to safeguarding its operations and the passengers it serves.
