- Infrastructure Security: identification of threats and protection from natural or manmade threats
- Emergency Communications: ensure 1st responder communications capabilities can function
- Cybersecurity: identification threats and protection from nation state and cyber criminals
- National Risk Management: ensure the country’s critical infrastructure is protected.
To be successful, we need to demystify the federal government in order to facilitate collaboration. Any business, small or large, and educational institution can participate in operational collaboration. We work closely with the TSA, FAA and FCC as partners.
Some of the current initiatives we are supporting include:
- Active shooter training
- How do we protect critical infrastructure from small uncrewed UAS
- How can critical infrastructure utilise UAS
- Working with the Department of Defense (DoD), Department of Energy and the Department of Justice on counter-UAS. How do we determine if a UAS is being used for good purposes or malicious ones. Teaming with international partners and private sector.
We hold tabletop role-playing sessions for assessing the impact of a threat against the national infrastructure – such as an undersea cable or a power transformer station. These are areas where we team with the FBI and Department of Homeland Security (DHS). Insider risks can’t be ignored that could open new attack pathways to GPS, communications and aviation systems.
All components of the aviation system need to be understood. This includes the entire supply chain. Prioritisation is necessary to determine where to start to have a managed plan to address different parts of the ecosystem. Every person in this industry plays a role in security through the practice of basic ‘cyber hygiene’. In other words, don’t write your password on a note and ‘hide it’ somewhere at your desk.
Airports are a key part of the national critical infrastructure that need to be protected. Regional airports need to enforce physical security and redundant communications. Whereas larger airports are where the real cyber threats come into play. There needs to be remote penetration testing, employee training and tabletop sessions.
It’s too soon to know what challenges will be presented by AAM/UAM. We are still in a learning mode here.
The Aviation Cybersecurity Initiative is a format for the FAA, DHS, and DoD to collaborate with internal and external aviation ecosystem stakeholders within government and private industry on aviation cybersecurity initiatives. Their goal is to reduce cyber risks to the US aviation system.
The Internet Technology (IT)/Operational Technology (OT) functions had been physically separated in the past. With the use of IP networking and cloud technologies this is no longer the case. Critical infrastructure is now more vulnerable due to this change of data transfer tools. Tests to Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA) systems need to have regular tests.
Following his presentation, Air Traffic Management Magazine had the opportunity to discuss a few additional questions specific to our focus.
How does CISA work with other agencies for interagency cooperation?
At the macro level, this is accomplished by the CISA Cybersecurity Advisory Committee (CSAC), which is comprised of 22 of the nation’s leading experts on cybersecurity, technology, risk management, privacy, and resilience. With a cross section of government – federal, state and local – and the private sector, this brings together a wealth of knowledge that is shared openly between the members behind closed doors. As topics are identified for resolution, the group also works on ideas to provide physical security and cybersecurity.
Can you share a success story specific to the aviation industry?
The Aviation Cybersecurity Initiative mentioned in my presentation. This group enables technical level information sharing. With this rapid technical exchange, decisions can be made as to what level of risks can be accepted. This is focused on by those responsible for accepting these risks – CEO, State Governor, Board of Directors, not CISOs.
How can ANSPs be more proactive when it comes to cybersecurity?
The world of an ANSP is actually not so different from a large company who is unable to shut down their business functions. When you ‘can’t have downtime’ there are additional challenges to implementing cyber hygiene protocols. Industries need to learn from each other. ANSPs need to understand their level of risk and vulnerability and put cyber resiliency plans in place accordingly.
What are your top three suggestions for ANSPs to consider in their cyber-resiliency planning?
- Cyber hygiene throughout the organisation. Insider threats are not always malicious.
- Broader network security at the corporate level.
- Information sharing – learn how to reach quickly and who can help them do so.
Nitin Natarajan was appointed to serve as the Deputy Director for the Cybersecurity and Infrastructure Security Agency (CISA) on February 16, 2021. Prior to joining CISA in February 2021, Natarajan served in a variety of public and private sector positions spanning over 30 years.
Most recently he served as an executive at consulting firms providing subject matter expertise on a variety of topics, including IT, cybersecurity, homeland and national security, critical infrastructure protection, environmental emergency management, continuity of operations, and health security matters.