The administrator of the Transportation Security Administration said the White House is following a similar approach to how it crafted cyber requirements for the oil and gas pipeline industry following the 2021 Colonial Pipeline attack in crafting guidelines for the aviation sector.
The administrator of the Transportation Security Administration, said Wednesday that the agency would deliver new cybersecurity requirements for the aviation industry "in the not-too-distant future."
Speaking at the Aspen Cyber Summit, TSA chief David Pekoske said that the administration is following a similar method of developing the forthcoming cybersecurity rules as it did for the oil and gas pipeline sector, when it released a series of security guidelines in 2021 following the Colonial Pipeline ransomware attack.
Pekoske declined to provide more details on a timeline or what those directives may include, but according to a Reuters report, several U.S. airport websites were hit this week with what seemed to be coordinated denial-of-service attacks that the TSA attributed to pro-Russian hackers.
While those attacks did not appear to affect airport operations, they echo the urgency of the White House following Colonial Pipeline attack, where Pekoske said officials held top secret-level briefings with the nation's most critical pipeline owners to help develop a baseline set of cybersecurity requirements for the oil and natural gas pipeline industry.
Before the TSA released those individual directives for the pipeline industry in July 2021, the White House held briefings for the chief executive officers of the most critical pipeline companies in the U.S. in sensitive compartmented information facilities, or SCIFs, to "frankly exchange perspectives and then figure out the way forward," Pekoske said.
The TSA administrator said he attended several of the White House briefings with critical pipeline owners, which were enabled by the National Security Council.
"We felt it was very important … for the CEOs to see the 'why' – why we were reacting the way we were, and why we needed their support in reallocating resources and priorities within their companies to build cybersecurity resilience within that sector," he said. "My reaction to it was, 'Wow, we should be doing this all the time.'"
TSA eventually released multiple cybersecurity directives for critical pipelines owners and operators in response to the Colonial Pipeline attack, requiring operators to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency and to address cybersecurity risks and remediation measures to the TSA and CISA within 30 days, among other directives.
It's unclear whether aviation industry leaders will also take part in similar top secret-level briefings, but the Reuters story also noted that as a condition of its airport terminal grants, the Federal Aviation Administration recently issued a notice to airports "to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project."
Pekoske said that it's vital for the administration to engage and collaborate with industry leaders on the cybersecurity challenges facing them.
"Most of the critical infrastructure in the country is owned by the private sector," he added. "The private sector should be aware of the extent of the threat that they're facing so they can look at the vulnerability [and] consequences and determine the risk that they're undertaking."