New TSA security directives are focusing attention on the cybersecurity preparedness of airport and airline operators. This podcast explains how to build, improve and maintain a cybersecurity plan that fits the needs and budget of your aviation organization. Greg Miller, Cherry Bekaert’s Government Services Transportation Team leader, is joined by Dan Sembler, a Director with the Firm’s Information Assurance and Cybersecurity Group, to discuss how aviation organizations can create a well-defined playbook for responding to cybersecurity incidents, breaches and ransomware attacks while maintaining operations and keeping customer data safe.
Topics covered include:
- Best practices for developing cybersecurity and Incident Response Plans
- The five core objectives to include in your plan
- Deadlines for New TSA Security Directives
- How to implement and maintain your Incident Response Plan
- Monitoring controls to assess risks
- What to know about Vulnerability Assessments
- Resources to learn more about cybersecurity
More Insights:
- Article: Understand Which TSA Security Directives Must be Submitted by Airports before April 2022
- Podcast: How Airports Reach Growth Goals with Digital Transformation
- Podcast: The Impact of GASB Pronouncements on Airports
View All Government & Public Sector Podcasts
GREG MILLER: Welcome to Cherry Bekaert's podcast on cybersecurity for the transportation sector. I'm Greg Miller, the leader of Cherry Bekaert's government transportation team, and joining me is Dan Sembler, a director in Cherry Bekaert's Risk and Advisory Group, focusing on cybersecurity consulting and gap assessments.
DAN SEMBLER: Thanks for having me.
GREG MILLER: TSA issued two security directives and additional guidance to strengthen cybersecurity across the transportation sector. Those security directives require owners and operators to designate a security coordinator and to report cybersecurity incidents to the system within 24 hours.
GREG MILLER: Organizations must also develop and implement a cybersecurity incident response plan and complete a cybersecurity vulnerability test. Today we'll discuss best practices for developing and implementing a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment, and we'll incorporate common questions we received during our cybersecurity small group sessions at the recent AAAE Finance Conference.
GREG MILLER: Dan, what do you see as the current state of cybersecurity incident response plans within the transportation sector?
DAN SEMBLER: We're getting questions constantly from organizations across the transportation sector and industry-wide domestically. People are increasingly concerned about how to prevent cyberattacks, how to respond to them, and how to avoid becoming a publicly identified breached organization.
DAN SEMBLER: This concern has been amplified by incidents such as the Colonial Pipeline incidents in 2021 and the SolarWinds breach in 2020. A key takeaway from those events is that risk lies throughout the supply chain. Traditional defenses—firewalls, multi-factor authentication, VPNs—are no longer sufficient as organizations move to the cloud and outsource services to third parties.
DAN SEMBLER: As organizations grow and mature, they open more threat vectors. That has increased awareness and the priority given to developing and maintaining a formal incident response plan. Organizations are shifting from thinking "if" we get attacked to "when" we get attacked. Having a well-defined playbook greatly increases the chances of mitigating risk, responding effectively, and continuing operations.
GREG MILLER: You've been involved in several IT and cybersecurity governance projects, helping organizations with strategy and security planning and improving policies and procedures. From your perspective, what are some of the best practices transportation organizations need to consider when developing a response plan?
DAN SEMBLER: Refer to the recent TSA directives regarding incident response plans; they identify core elements we recommend including. There are five core tenets to ensure are included.
DAN SEMBLER: First, policies and procedures to safeguard covered and protected information. That requires data classification to identify what information must be protected and to determine the criticality of that data and the resources to allocate for its protection.
DAN SEMBLER: Second, how you identify an attack: monitoring, logging, review, reporting, and alerting to notify the organization as quickly as possible and enable rapid response.
DAN SEMBLER: Third, how you contain damage and limit exposure in the event of a breach.
DAN SEMBLER: Fourth, how you eradicate the root cause: determine where the breach occurred and remedy the underlying issue.
DAN SEMBLER: Fifth, how you restore business operations promptly, which is especially important in the transportation sector so organizations can continue to meet critical objectives.
DAN SEMBLER: I also want to highlight specific TSA milestones. Organizations are required to identify a cybersecurity coordinator by March 30, 2022. They must be able to identify and report cyber incidents to CISA within 24 hours, which is expected immediately. The development of a formal cyber incident response plan and the results of a cyber vulnerability assessment are both due by June 28 of this year.
GREG MILLER: Thanks for those reminders. The March 30 and June 28 deadlines are approaching. Currently, these requirements relate to rail transportation; the first two apply to other ground and aviation transportation, with the expectation that TSA will make the last two mandatory for other modes as well. Even if a deadline is not applicable to you now, it's likely coming.
DAN SEMBLER: Correct.
GREG MILLER: A plan is only as good as its implementation and acceptance within the organization. Leadership must set the tone. What are best practices for implementing and maintaining the plan?
DAN SEMBLER: Before documenting the plan, assign an appropriate level of management responsibility for creating and maintaining it. This responsibility is often stated in the plan and typically assigned to the chief information security officer or another executive-level designee who can drive priorities and set tone at the top.
DAN SEMBLER: If you already have an incident response plan that hasn't been updated in a few years, update it now. The most important preparation is to ensure the plan is current, has a decision-making tree, and includes definitions for what constitutes an incident and how to differentiate between severe incidents and minor inconveniences.
DAN SEMBLER: After documenting the plan, test it. Run through checklists, priorities, and processes at least annually to ensure readiness. You should be familiar with the plan and its agreed-upon actions so you can follow a checklist under pressure rather than trying to remember steps during an actual incident.
DAN SEMBLER: Important components to include are detailed documentation of any compromise—dates, how inappropriate access was gained, what assets were compromised, and how compromised information was used. Assets include hardware and data.
DAN SEMBLER: Determine whether you experienced ransomware that encrypted data, whether data exfiltration occurred, and whether disclosures to third parties are required. Maintain a running list of remediation actions completed to limit exposure; do not wait until the end to compile that.
DAN SEMBLER: Finally, include key contact information and a call tree that specifies who is notified when there is a suspected incident and how individuals are reached to keep the response coordinated.
GREG MILLER: The idea is to make decisions and set the plan while calm so you're not making frantic choices during an incident.
DAN SEMBLER: Exactly. The plan and decision trees should be developed beforehand so that, when an incident occurs, actions are clear and followable.
GREG MILLER: What monitoring controls should organizations consider to assess their cybersecurity control environment and identify gaps overlooked during planning?
DAN SEMBLER: Technologists will think of logging aggregation and monitoring controls. Consider what you've historically done to monitor system uptime, availability, and performance. Ensure systems can support core objectives.
DAN SEMBLER: From a security perspective, monitor firewall traffic, intrusion detection and prevention logs, and key administrative access logs and reviews. More mature programs implement 24/7 network monitoring and security event monitoring to proactively identify anomalies and classify incidents or breaches.
DAN SEMBLER: Many organizations outsource 24/7 monitoring to managed service providers because in-house 24/7 programs are resource-intensive. Managed providers can perform continuous monitoring and report significant risks or exposures.
DAN SEMBLER: Remember that cybersecurity is not solely a technology problem. Organizations must take a holistic view with organization-wide risk assessments and business impact analyses to define critical assets and determine what requires the most protection. That drives decisions on where continuous monitoring is necessary and whether to engage a managed provider for specific tenants.
GREG MILLER: Cybersecurity is one aspect of enterprise risk management. What should organizations consider in their risk assessment process beyond cyber-specific items?
DAN SEMBLER: Cybersecurity must be integrated into ERM. Decide what makes sense based on strategic objectives and where vulnerabilities lie inside and outside of cyber. Maintain standalone processes to identify emerging threats and vulnerabilities.
DAN SEMBLER: At the ERM level, perform annual reviews to stay current on emerging trends and risks. This is different from technical vulnerability scanning, which must occur more frequently. Stay connected with industry peers and relevant publications or subscription services to identify emerging threats.
DAN SEMBLER: Organizations should maintain a risk library documenting identified risks, prior responses, and decisions. Risk response options include adding controls, transferring risk through insurance, or accepting risk if impact is less than control costs.
DAN SEMBLER: A recent example is the Log4j vulnerability. If it affected your organization, how did you learn about it, and could you have learned sooner? Continuously monitor for such developments to enable a proactive response or an abbreviated risk assessment.
GREG MILLER: When Log4j or similar vulnerabilities are disclosed, organizations need to assess applicability and determine immediate and intermediate responses.
DAN SEMBLER: Correct.
GREG MILLER: Regarding the TSA directive's fourth item—the cybersecurity vulnerability assessment due in late June—what should listeners keep in mind?
DAN SEMBLER: Ensure risk assessment processes are integrated into existing ERM processes to cover the organization holistically. Review policies and procedures against the organization's risk tolerance, and continuously re-evaluate them so staff know how to protect against identified risks.
DAN SEMBLER: From a technical perspective, maintain periodic vulnerability scanning of networks and servers to ensure systems and network equipment are patched and updated. Include both external and internal penetration testing; annual testing is typical, though frequency should reflect the organization's risk tolerance and objectives.
DAN SEMBLER: Implement configuration baselining so new servers and environments reflect hardening and security configurations. Use monitoring to detect configuration drift, such as unexpected changes to multi-factor authentication requirements, and ensure key controls continue to operate at expected levels.
GREG MILLER: Many smaller airports have IT functions under finance and administration, led by personnel fluent in debits and credits but not necessarily in bytes and bits. What resources can finance staff use to gain a framework-level understanding of cybersecurity?
DAN SEMBLER: Cybersecurity is an organizational issue. The AICPA developed a Cybersecurity Risk Management Reporting Framework that is a good starting point for non-technologists. For more granular guidance, NIST provides cybersecurity frameworks widely regarded as standards, especially for organizations working with federal, state, or local government or operating in higher-risk industries. I recommend AICPA first for accountants and finance personnel, then NIST for deeper technical guidance.
GREG MILLER: NIST also offers guidance on integrating cybersecurity into ERM and on cyber supply chain risk management, which is important when assessing vendor practices to prevent downstream risk.
DAN SEMBLER: Correct.
GREG MILLER: Any closing thoughts or last-minute items listeners should be aware of as they implement these directives?
DAN SEMBLER: Empower individuals as the first line of defense. Many breaches occur through social engineering and front-end user actions rather than back-door exploits. Implement formal information security training at hiring and annually thereafter, and run phishing campaigns to improve awareness.
DAN SEMBLER: Ensure robust practices to hold vendors and business partners accountable to security commitments in contracts. Verify how vendors meet promises such as transmitting data over secured channels like TLS 1.2. Use vendor assessments and reports, commonly SOC 2 reports, to continually evaluate vendor security and protect your organization.
GREG MILLER: I appreciate your time and insights on developing and implementing a cybersecurity incident response plan and conducting vulnerability assessments.
DAN SEMBLER: Thanks for having me. I enjoyed the conversation.
GREG MILLER: Cherry Bekaert does not provide accounting, financial reporting, or tax advice on this podcast. Please consult with your accounting and tax advisors or Cherry Bekaert for more guidance. For more information on cybersecurity issues or other topics that might impact your organization, visit Cherry Bekaert's website at cbh.com.
GREG MILLER: Thank you for joining us.
