TSA Desires "Cybersecurity by Design"
The United States Transport Security Administration (TSA) has publicly announced that it's on a "quest to merge cybersecurity and information technology."
Instead of cybersecurity's being an add-on or afterthought, the TSA wants the industry to adopt a culture of "cybersecurity by design" when dreaming up and manufacturing security equipment.
The transport-focused sub-tier of the Department of Homeland Security has not taken on this mission alone, but rather says that it's acting with the support of America's airport facilities.
The joint call for a new mindset from the security industry was announced in a special notice on January 7.
"The purpose of this special notice is to inform [the] industry of TSA's and airport facilities' quest to merge
cybersecurity and information technology," wrote the TSA.
"This and future notifications will provide [the] industry with ongoing meeting overviews and actions that specifically address information security and security screening technologies."
Along with its desires for an integrated approach, the TSA listed 17 key requirements for the information security and security screening technologies industry, with the aim of ensuring all parties are working toward a common goal.
Demonstrable "cybersecurity by design" for security equipment topped a list that also called for password control that allows airport operators to change system-level passwords and the vetting of all maintenance personnel, both local and remote, via background checks.
Systems must be updatable as vulnerabilities are discovered, and security assessment tools should run on devices to scan for them. In addition, systems must ensure the unique identification of people, activity, or equipment access and be able to audit, analyze, and monitor events.
To protect supply-chain integrity, a complete list of all software and hardware making up screening equipment will be required from vendors.
Vendors are also expected to protect screening algorithms from compromise with systems that issue alerts when accessed. Steps must also be taken to prevent unauthorized physical access—via USB ports, for example.
"Sharing these requirements with [the] industry and the public will: Increase security levels; raise the bar of cybersecurity across screening solutions; provide vendors an opportunity to demonstrate their cybersecurity credentials; and provide an aligned approach across the industry—making it easier for vendors to adapt to end user requirements," wrote the TSA.
Source: Information Security Magazine