AVIATION GROUND OT

Secure Remote Access for Aviation Ground OT: TSA Emergency Amendment, $13,910 Per Day Per Violation

TSA Emergency Amendment (March 7, 2023) requires access controls with MFA, session logging, network segmentation, and patch management from every Part 139 airport and Part 121/125/129 operator in the United States. The penalty is $13,910 per day per violation.
One deployment. 20 minutes per airport zone. All four TSA pillars covered.

BAKER HUGHES

GE VERNOVA

ALTAGAS

ALUAR

MITSUBISHI

TSA Emergency Amendment

SOC 2 TYPE II

NIS2 (EU Operators)

KUPPINGERCOLE LEADER 2025

$13,910

Per Day Per Violation

20 min

Deployment per Site

4 / 4

TSA Pillars Covered

40+

Countries Deployed
Xona-Aviation-Image

The Credential Exposure TSA Is Responding To

In May 2021, a single compromised VPN credential shut down 5,500 miles of the Colonial Pipeline. The credential had no MFA. The VPN had no session logging. The access had no time limit. DarkSide ransomware entered through that one unprotected remote access point.
TSA issued its first security directive within weeks. Every TSA cybersecurity requirement since traces back to that access control failure: pipeline directives, rail directives, and the March 2023 Emergency Amendment for aviation. The technical requirements across all three are identical because the root cause is identical. One unprotected credential.
The same unprotected remote access credential that shut down Colonial is the same credential your baggage handling vendor uses to connect to airport PLCs. Remote access ranks among the top three OT vulnerability vectors per the SANS 2025 survey. For aviation ground OT: baggage handling PLCs running Modbus, perimeter intrusion detection, airfield ground lighting controllers, fueling system SCADA, and building automation in secure terminal areas.
This is not a theoretical risk. It is the exact attack path that triggered every TSA cybersecurity directive in existence.

What Changes When You Deploy

Session-brokered, protocol-isolated access for every vendor, every maintenance window, every airport zone.

All Four TSA Pillars in One Architecture

  • Network segmentation through session isolation at the gateway boundary
  • MFA-enforced access controls with least-privilege, time-limited authorization
  • Continuous monitoring and forensic replay via Centralizer
  • On-premises patch management with zero cloud dependency.

Result

One architecture. One deployment. Four pillars closed.

Protocol Isolation for Ground OT

  • Baggage handling PLCs speak Modbus. Perimeter systems speak BACnet. Fueling SCADA runs proprietary protocols.
  • All terminate at the CSG. Zero OT protocol data crosses to the vendor side.
  • Wireshark on the OT network segment during an active session shows only encrypted image traffic. 

Result

No Modbus polling data. No BACnet commands. That is the architecture.

Session Recording and 24-Hour Reporting

  • Every session recorded, timestamped, and user-attributed
  • Centralizer aggregates governance and indexes recordings for forensic replay
  • When TSA requires a 24-hour incident report to CISA, the audit trail is already there
Result

CSG gateways capture session recordings across every connected zone. Centralizer indexes recordings for forensic replay.

Airport Multi-Zone Deployment

  • Airside: runways, taxiways, aprons
  • Terminal: baggage, HVAC, fire suppression
  • Landside: parking, perimeter, access gates
Result

CSG deploys in 20 minutes per zone. No OT topology changes. No new VLANs. Network firewall policies may require minor updates to enable the CSG connection path.

20

minutes to deploy per airport zone

Step 1: Deploy gateway at each airport zone. OT network topology unchanged. Network firewall policies may need minor updates. No new VLANs. Step 2: Grant time-limited, asset-scoped vendor access. Step 3: TSA Emergency Amendment compliance documentation produced automatically.

40+ sites in 40+ countries, production deployments
Deployed across critical transportation infrastructure operators. Baker Hughes and AltaGas operate in TSA-regulated pipeline environments using the same CSG deployment model, the same Centralizer governance, and the same protocol isolation. The architecture that satisfies TSA SD-02F for pipeline operators satisfies the TSA Emergency Amendment for aviation.
Also deployed by Mitsubishi, GE Vernova, and Aluar. These are production deployments, not pilots. Named a Leader in OT/ICS Secure Remote Access by KuppingerCole Leadership Compass 2025. The SANS 2025 ICS/OT Security Survey ranks remote access among the top three OT vulnerability vectors.

Who This Solves For

Airport Operations / Facilities Manager

  • Deploy across airside, terminal, and landside zones in 20 minutes per zone with zero operational disruption
  • Grant maintenance vendors time-limited, asset-scoped access instead of standing VPN credentials to baggage systems
  • Eliminate downtime during access provisioning for 24/7 airport operations

OT / Controls Engineer

  • Protocol isolation terminates Modbus and BACnet at the gateway; zero OT protocol data reaches the user side
  • Browser-based access to baggage PLCs, airfield lighting controllers, and fueling SCADA from any device
  • No agents on OT endpoints. No OT topology changes. No new VLANs.

CISO / Security Lead

  • All four TSA Emergency Amendment pillars covered through one deployment: segmentation, MFA, monitoring, patching
  • Every session recorded and user-attributed for 24-hour CISA incident reporting requirements
  • SOC 2 Type II certified. On-premises. Zero cloud dependency.

Regulatory Compliance Officer

  • Automated audit trail maps directly to TSA Emergency Amendment Pillars 1 through 4
  • 24-hour incident documentation available from day one with session logs, user attribution, and timestamps
  • EU NIS2 Article 21 coverage for air transport operators with international routes

How Xona Compares

Capability
Deployment Time
Network Changes
Protocol Isolation
Session Recording
TSA Pillar Coverage
Air-Gap Support
24-Hour Reporting
Vendor Access Control

Xone-Logo-White@2x

 

20 minutes per zone
None
Full termination at gateway
Full recording, replay, attribution
All 4 pillars
Full
Automatic via Centralizer
Time-limited, asset-scoped, MFA
Traditional VPN
Days to weeks
Firewall rules, VLANs
None. Tunnel carries all traffic.
IP-level logs only.
Manual firewall rules
Requires stable connection
Network engineering team
Manual log aggregation
Cloud ZTNA
Hours to days
Cloud connector config
No
Partial
Pillars 2, 3 partial
None
Cloud-dependent
Time-limited, cloud-routed
Jump Server
Hours
Network segmentation
No
Partial or none
Pillar 2 partial
Limited
Manual
Shared credentials

TSA Emergency Amendment Compliance in Detail

The Four Pillars

On March 7, 2023, TSA issued an Emergency Amendment requiring cybersecurity measures from TSA-regulated airports under 14 CFR Part 139 and aircraft operators under Parts 121, 125, 129, and the Civil Reserve Air Fleet. This is an Emergency Amendment, not a numbered Security Directive.
Requirement
EA Pillar 1: Network segmentation
EA Pillar 2: Access controls
EA Pillar 3: Continuous monitoring
EA Pillar 4: Patch management
24-hour CISA reporting
Legacy protocol support
Control
IT/OT separation
MFA, least privilege, logging, time-limited
Anomaly detection
System maintenance
Incident documentation
OT protocol compatibility
Xona Architecture
CSG enforces session isolation at gateway
MFA at CSG, role-based access, session recording, time-bounded auth
Centralizer real-time session monitoring, replay, alerting
On-premises CSG updates via Centralizer; no cloud dependency
Centralizer session logs with timestamped audit trail
Supported protocols include Telnet, VNC, HTTP/HTTPS, Modbus, DNP3, and aviation ground system protocols. No protocol upgrades or endpoint agents required.

Vendor Access Control

Third-party vendors, OEMs, and maintenance contractors require access to airfield systems, gate automation, and ground support equipment. Xona enforces a structured approval workflow for every vendor session.
Vendor access requires explicit administrator approval before each session begins. Centralizer enforces time-limited, asset-scoped sessions tied to specific maintenance windows. The vendor connects through CSG; access terminates automatically when the window closes. No persistent vendor connection remains after the session ends.
Every vendor session is logged with full attribution: vendor identity, assets accessed, session duration, and all actions taken. Audit records are available for TSA compliance reporting without manual reconstruction.

Ground OT Only. Not Avionics.

The Emergency Amendment governs airport and airline operational technology: baggage handling automation, perimeter intrusion detection, access control systems for sterile and secured areas, airfield ground lighting controls, fueling infrastructure SCADA, and ground support equipment automation.
Every vendor session is logged with full attribution: vendor identity, assets accessed, session duration, and all actions taken. Audit records are available for TSA compliance reporting without manual reconstruction.

International Coverage

EU NIS2 Article 21 designates air transport operators as Essential Entities with mandatory cybersecurity risk management. ICAO Document 10149 provides aviation cybersecurity guidance for member states. The same deployment that satisfies the TSA Emergency Amendment maps to NIS2 requirements for EU airports.

TSA Emergency Amendment

NIS2

SOC 2 Type II

Technical Specifications

OT Protocols
Modbus
BACnet
OPC UA
SCADA-specific
proprietary airport ground equipment interfaces
Architecture
CSG (Xona Secure Gateway)
XCM (Xona Central Manager)
Centralizer
Deployment
On-premises
hybrid
air-gapped
No cloud dependency required
Endpoints
Agentless
Clientless
browser-based
No agents on OT endpoints
Certifications
SOC 2 Type II
KuppingerCole Leader 2025
v5.5 Features
Session Hold
RDP Auto-Reconnect
concurrent multi-protocol sessions
session transfer

FAQ

Does the TSA Emergency Amendment apply to regional and small airports?

Yes. It applies to all TSA-regulated airports under 14 CFR Part 139 and airline operators under Parts 121, 125, 129, and CRAF. Airport size does not determine applicability. If your airport holds a Part 139 certificate, the requirements apply.

What airport OT systems are "Critical Cyber Systems" under the Emergency Amendment?

Baggage handling automation, perimeter intrusion detection, access control systems for sterile and secured areas, airfield ground lighting controllers, fueling infrastructure SCADA, and building management systems in secure terminal areas.

Does this apply to aircraft avionics or flight systems?

No. Avionics are governed by FAA under 14 CFR Part 25, RTCA DO-326A, and DO-356A. The Emergency Amendment covers airport and airline ground operational technology only.

We already addressed TSA requirements with a VPN. Is that sufficient?

A VPN that puts vendor laptops on your control system network does not meet Pillar 2. The Emergency Amendment requires least-privilege access, session logging, and time-limited authorization. A VPN grants network-level access with no session boundaries, no time limits, and no per-action recording.

How does this relate to the TSA pipeline and rail directives?

TSA SD-02F (pipeline), SD 1580/82 (rail), and the March 2023 Emergency Amendment (aviation) share the same four technical requirements. The architecture that satisfies one satisfies all three.

Our airport operates 24/7. How does deployment work without disrupting operations?

The CSG deploys in 20 minutes per site. Deployment requires no changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path. No new VLANs. No downtime required for OT systems during installation. The gateway communicates outbound to Centralizer only. No inbound ports opened on the airport network.

What is the penalty for non-compliance with the Emergency Amendment?

$13,910 per day per violation. Violations are assessed per requirement, meaning multiple non-compliant controls can generate concurrent daily penalties.

Can Xona support both domestic and international airport operations under different regulatory frameworks?

Yes. The same deployment satisfies the TSA Emergency Amendment for U.S. operations and maps to EU NIS2 Article 21 for European air transport operators. ICAO Document 10149 provides additional guidance for international member states. One architecture covers multiple jurisdictional requirements.

Stop Running Airport OT on VPN Credentials. Start Satisfying All Four TSA Pillars.

20-minute deployment per airport zone. $13,910 per day per violation avoided. All four TSA Emergency Amendment pillars covered through one on-premises architecture.

 Secure access for the systems that keep the world running.
© Xona Systems, 2026
Cookie Policy
Privacy Policy
Disclosure Policy
Website Terms of Service
Terms & Conditions