TSA's quest to merge cybersecurity and information technology

We're about two weeks into the new year, and suffice to say, gearing up for travel is top of mind for security professionals. The “big” industry shows always seem so far away at this point, but before we know it, ISC West will be here in March, followed by ESX in June; GSX in September; ISC East in partnership with ASIS NYC in November; and more. In addition to these, are the smaller, boutique-type events, such as our SecurityNext conference in February (It's not too late to register, btw!), not to mention all the companies that host events throughout the year. This puts you and your personal data in quite a few airports' computer systems, screening technologies, etc., which can be a hacker's paradise.

Fortunately, while you're on your yearly security quests, TSA is on a “quest” of its own: “to merge cybersecurity and information technology,” according to a special notice issued on January 7, 2020. And, they aren't going at it alone. The agency has the support of America's airport facilities, working together to create a cybersecurity culture by adopting the requirement “cybersecurity by design” to ensure cybersecurity is at for forefront, as opposed to being an add-on or afterthought.

In addition to merging cyber and information technology, there are other “requirements for the information security and security screening technologies industry to ensure everyone is working towards a common goal,” it said in the notice. Other requirements include:

• Implementation of adequate access control and account management practices by enabling multi-level access to equipment sources and the ability to restrict users;
• The ability for airport operators to change system level passwords;
• Use of unique identification of individuals, activity and access to security equipment;
• Protection of screening algorithms form compromise, modification and rendering equipment inoperable, and provide immediate alert when algorithms have been accessed;
• Covering USB ports are covered and access to ports, cables and other peripherals are protected from unauthorized use;
• Employing automated measures to maintain baseline configurations and ensure systems protections;
• Proper management of internal and external interfaces and encryption of ingress and egress traffic;
• Implementing methods to update security equipment affected by software flaws;
• Running security assessment tools on devices to ensure appropriate configuration and patch levels, and that no indicators of compromise are present;
• Full support to ensure security equipment hardware, software and operating system vulnerabilities are identified and remediated;
• Use of an approved encryption method to ensure integrity of all data at rest on security equipment;
• Providing comprehensive list of all software and hardware that compromise security equipment;
• Demonstrating the ability to update equipment design and capabilities to align with changing cyber intelligence and threat reporting; and
• Vetting all local or remote maintenance personnel with the inclusion of background checks.

TSA hopes that these requirements will “increase security levels; raise the bar of cybersecurity across screening solutions; provide vendors an opportunity to demonstrate their cybersecurity credentials; and provide an aligned approach across the industry—making it easier for vendors to adapt to end user requirement.”

Sounds like a win for anyone involved in travel.

�