On the heels of a new national cyber security strategy, the Transportation Security Administration on Tuesday released its own roadmap for protecting its information technology (IT) and the transportation system from cyber threats.

The TSA Cybersecurity Roadmap “defines clear pathways to integrate and improve the TSA’s cybersecurity posture, safeguard the nation’s transportation systems, and build TSA’s capacity to meet the ever-changing cybersecurity environment through smart investments and collaborative partnerships,” TSA Administrator David Pekoske writes in a preface to the new roadmap.

Transportation Security Administration Administrator David Pekoske.
Transportation Security Administration Administrator David Pekoske.

The 18-page roadmap outlines four priorities and six goals to guide the agency’s cyber security efforts. The four priorities are to identify risk, reduce vulnerabilities, mitigate consequences, and enable cyber security outcomes by helping to make the transportation systems sector more secure and reliable. The priorities are consistent with key cyber security pillars outlined in the Department of Homeland Security’s cyber security strategy released in May.

The six goals are aligned under the priorities and include a number of objectives. The goals include assessing and prioritizing risks to the agency and transportation systems sector, protecting the agency’s information systems and the transportation system’s critical infrastructure, responding to cyber incidents effectively by minimizing their consequences, strengthening security and resilience by “promoting voluntary, collaborative, and sustainable community action,” and finally to improve the management of the agency’s and the sector’s cyber security activities.

The roadmap doesn’t identify specific threats or examples of threats to the transportation sector but provides a general warning that “The growing interconnectivity of cyber and physical systems within critical infrastructure creates the potential risk for malicious cyber activity to result in direct physical consequences.”

The roadmap is the first document coming from an operational component of DHS that deals with cyber security, Pekoske said on Tuesday at the annual Association of American Airport Executives Aviation Security Summit. He said that given the “vast volumes of data” that TSA handles, the agency needs to protect it to be able to effectively leverage it for its various uses such as assessing risk in the transportation sector and assigning resources against those risks.

Afterward during a brief media gaggle, Pekoske said that TSA will work on developing its own cyber security capabilities, which is less about hiring additional personnel than in making sure it has the right people with the right skillsets. TSA has to an “organic” capability in cyber security that needs to be further built up with the “right people in place,” he said.

Pekoske said TSA does want to “focus on…how data is protected in the overall airport environment,” adding that the agency reviews airport security plans.

Michael Stephens, the chief information officer and general counsel at Tampa International Airport in Florida, said during a cyber security panel at the conference that the roadmap “is a step in the right direction” of closing cyber security gaps in the aviation industry.

Stephens testified at a House Homeland Security Committee in September that only 34 percent of airports and aviation critical infrastructure entities had implemented recognized cyber security standards. The committee was “aghast” at that statistic he said, adding that since then they have reached out to him for help in figuring out how to close this gap.

The industry has to “get out in front of this” before Congress writes legislation that it doesn’t like, he said.

“We need to start thinking about cyber hygiene…and cyber threat risk mitigation in the very same way” as other hazards to aviation critical infrastructure are dealt with, Stephens said. Currently at airports physical security procedures such as access controls are inspected but “no one is checking the software that opens the doors and closes the doors, no one checks the airfield lighting industrial control systems,” he said.

Sooner or later, Stephens said, there will be a “catastrophic event” in the aviation sector if cyber security needs aren’t addressed.