When most people hear of the Transportation Safety Administration (“TSA”), they typically think of long lines at the airport, and certainly not cybersecurity. But cybersecurity is top of mind for the TSA these days. This was made evident on March 7, 2023, as the TSA used its emergency powers to amend security directives for certain TSA-regulated airport and aircraft operators in order to require enhanced cybersecurity requirements for those operators.[1] The move is part of the Department of Homeland Security’s continuing efforts to increase the cybersecurity resilience of U.S. critical infrastructure.
The TSA announced that it amended the security directives in response to “persistent cybersecurity threats” against U.S. critical infrastructure, including the aviation sector. The amendment requires impacted entities to develop an approved implementation plan that describes the measures the entities are taking to improve their cybersecurity resilience and to prevent disruption and degradation to their infrastructure, inclusive of:
The potential impact of a successful, wide-spread attack on the U.S. aviation industry cannot be overstated. According to a recent study by the trade organization Airlines for America, commercial aviation drove 5% of the U.S. GDP in 2022.[2] On average, U.S. airlines operate 25,000 flights daily, carrying 2.3 million passengers to and from nearly 80 countries. They also carry more than 65,000 tons of cargo to and from more than 220 countries on a daily basis.
Given the potential economic disruption, as well as the safety risks posed by a cyberattack on the aviation industry, we can expect to see the TSA continue to focus on cybersecurity for the foreseeable future.
***
[1] https://www.tsa.gov/news/press/releases/2023/03/07/tsa-issues-new-cybersecurity-requirements-airport-and-aircraft (last visited March 27, 2023)
[2] https://www.airlines.org/impact/ (last visited March 27, 2023).
Sign up for our newsletter and get the latest to your inbox.