TSA to Issue Cybersecurity Rules for Aviation Industry, Agency Head Says

David Pekoske, the head of the Transportation Security Administration, said at a recent Aspen Institute event that efforts are underway to build a new set of cybersecurity requirements for the aviation industry following denial-of-service attacks by Russia-allied hackers on U.S. airport systems in October.

He did not share details on the rules’ contents or a timeline for their release and implementation, FCW reported Friday.

The TSA issued similar requirements for the oil and gas industry following a 2021 ransomware attack on Colonial Pipeline. According to Pekoske, one such rule mandates a separation of information technology from operational technology used for industrial control systems.

Incorporating input from industry stakeholders, the agency released revised requirements intended to give pipeline owners greater leeway regarding the implementation of security measures. Pekoske maintained that the rules still enable the continuous monitoring and auditing needed to achieve cybersecurity objectives.

The rail transit industry is another segment that has recently received directives from TSA, with special attention paid to providers that move passengers and cargo through population centers. The rules call for a designated coordinator and a 24-hour deadline for incident reporting to the Cybersecurity Infrastructure and Security Agency, among others.

Pekoske explained that the requirements were eased to take stakeholder feedback into account, allowing organizations to take different approaches to achieve outcomes.