The Transportation Security Administration announced its intention, along with airports, to better embed cybersecurity within screening equipment.
The agency announced in a special notice this week 17 new cyber-related vendor requirements, the first of which is that they adopt a demonstrable culture of “cybersecurity by design” for security technology.
“Sharing these requirements with industry and the public will: increase security levels, raise the bar of cybersecurity across screening solutions, provide vendors an opportunity to demonstrate their cybersecurity credentials, and provide an aligned approach across the industry — making it easier for vendors to adapt to end user requirements,” reads the notice.
Vendors will also be required to implement “adequate” access control and account management practices that enable multi-level access to equipment and restrict users to required levels.
Other requirements TSA set forth in the notice:
- Airport operators must be able to change system-level passwords.
- Systems must ensure unique identification of people, activity or equipment access and be able to audit as well as analyze and monitor events.
- Vendors must protect screening algorithms from compromise by designing systems that issue alerts when they’re accessed, as well as prevent unauthorized physical access via, say, USB ports.
- Screening equipment must automatically maintain protected, baseline configurations that send out alerts when accessed, and system ingress and egress traffic must be encrypted in keeping with industry standards.
- Systems must be updatable as vulnerabilities are discovered, and security assessment tools should run on devices to scan for them.
- Vendors must provide full hardware, software and operating system support for screening equipment and ensure data at rest is encrypted.
- A complete list of all the software and hardware comprising screening equipment is required to ensure supply chain integrity.
- Equipment must be updatable to keep pace with changing cyber intelligence and threat reporting, and all maintenance personnel must be vetted by a local or national authority.
TSA intends to hold meetings on security scanners and advanced imaging technology, explosives detection systems for cabin baggage (EDS CB)— both dual and multiview solutions — and progress review. The meetings are not open to industry.
Previous TSA meetings addressed information security risk management and cyber requirements for EDS CB, as well as automatic tray return systems and screening lanes.
The announcement follows a number of recent efforts TSA has made to improve its screening technology. TSA’s Innovation Task Force (ITF) issued a broad agency announcement for Innovative Demonstrations for Enterprise Advancement (IDEA) in late October.