US to add cybersecurity requirements for critical aviation systems

(Reuters) - A U.S. transportation security agency said Wednesday it plans to issue new cybersecurity requirements for some key aviation systems after several U.S. airport websites earlier this week were hit with apparently coordinated denial-of-service attacks.

The Transportation Security Administration (TSA) said Monday's cyberattacks that were allegedly organized by pro-Russian hackers "did not disrupt airport operations or access to information."

TSA noted it previously "updated its aviation security programs to require airport and airline operators designate a cybersecurity coordinator and report cybersecurity incidents, conduct a cybersecurity assessment, and develop remediation measures and incident response plans."

TSA added it plans to "soon issue additional performance-based cybersecurity requirements for critical aviation systems."

The Federal Aviation Administration (FAA) as a condition of airport terminal grants said in a notice last month to airports they must demonstrate efforts "to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project."

The FAA added "projects that have not appropriately considered and addressed physical and cyber security and resilience ... will be required to do so before receiving funds for construction."

The Government Accountability Office in a 2020 report said the FAA should fully implement key practices to address cybersecurity risks.

GAO noted "modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers" and if not properly protected "could be at risk of a variety of potential cyberattacks."

GAO said in 2020 there had not been any reports of successful cyberattacks on an airplane’s avionics systems.