The Transportation Security Administration (TSA) announced a new set of cybersecurity requirements this week for airport and aircraft operators.
The requirements don't seem overly stringent. Where I usually start with"cyber infrastructure" is asking the question "Is it necessary?" This is an evaluation that government and quasi-government agencies often struggle with. Do you need all this data? Do you need all these systems? Must they be online?
For example, my wife just bought a new car that the dealer was excited to show her it could be started with just an app on her phone. Why are we placing motor vehicles on the Internet? To broaden this back out to the TSA, how about we start with reducing the attackable footprint? Stop believing you can secure every node of the technology. That is the fundamental flaw when we start looking at infrastructure. The problem is not one of security; it's design and procurement. By the time, we, the security professionals, enter the picture, it's too late. The best we can do is triage. We figured it out with a pandemic - counter the risk with social distancing. How about we start practicing "cyber distancing?" Reduce the footprint. Then we might have a better chance.