The TSA announced that it amended the security directives in response to “persistent cybersecurity threats” against U.S. critical infrastructure, including the aviation sector. The amendment requires impacted entities to develop an approved implementation plan that describes the measures the entities are taking to improve their cybersecurity resilience and to prevent disruption and degradation to their infrastructure, inclusive of:

• Developing network segmentation policies and controls to ensure operational technology systems can continue to safely operate in the event of a compromise;
• Creating access control measures to secure and prevent unauthorized access to critical cyber systems;
• Implementing continuous monitoring and detection policies and procedures for critical cyber system operations; and
• Reducing the risk of exploitation of unpatched systems via the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.

The potential impact of a successful, wide-spread attack on the U.S. aviation industry cannot be overstated. According to a recent study by the trade organization Airlines for America, commercial aviation drove 5% of the U.S. GDP in 2022.^[2] On average, U.S. airlines operate 25,000 flights daily, carrying 2.3 million passengers to and from nearly 80 countries. They also carry more than 65,000 tons of cargo to and from more than 220 countries on a daily basis.

Given the potential economic disruption, as well as the safety risks posed by a cyberattack on the aviation industry, we can expect to see the TSA continue to focus on cybersecurity for the foreseeable future.

***
^{[1] https://www.tsa.gov/news/press/releases/2023/03/07/tsa-issues-new-cybersecurity-requirements-airport-and-aircraft (last visited March 27, 2023)}

^{[2] https://www.airlines.org/impact/ (last visited March 27, 2023).}