The Department of Homeland Security’s cybersecurity sprint for the transportation sector is yielding a minimum set of cybersecurity requirements that is slowly spreading out across pipelines, rail operators, aviation and other entities.
Last week, the Transportation Security Administration issued new cybersecurity directives for rail operators. The requirements will apply to approximately 80% of freight rail operators and 90% of passenger rail across the country, according to Department of Homeland Security officials.
They require operators to establish a 24/7 cybersecurity coordinator; report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours; develop a cyber incident response plan within 180 days; and conduct a cyber self-assessment within 90 days.
TSA’s push to issue cybersecurity requirements began in the wake of the Colonial Pipeline hack in May, when that company’s corporate network was shut down by ransomware, forcing the pipeline to cease operations for several days and leading to gas shortages on the East Coast.
In late May, TSA issued an initial security directive requiring high-risk pipelines and natural gas facilities to report cyber incidents to CISA within 12 hours. It also requires the appointment of a cybersecurity coordinator and a self-assessment of cybersecurity practices.
Victoria Newhouse, deputy assistant administrator for policy, plans and engagement at TSA, said all covered pipelines are all in compliance with the May directive.
A second TSA directive in July requires pipelines to take specific actions to defend against ransomware. That directive has not been released to the public.
During a hearing before the House Transportation Committee last week, Newhouse said TSA applied lessons from the pipeline effort in developing the new security directives for rail operators. One of the biggest challenges, she said, is defining what exactly constitutes a reportable cyber incident.
“We’ve made it more effective, less broad, so it’s an incident that’s reasonably likely to have a devastating impact on any of their systems,” Newhouse said.
TSA is also directing similar cyber requirements to the aviation sector. The agency recently updated its standard security program for aviation to require the appointment of a cybersecurity coordinator and the reporting of cyber incidents to CISA. Future updates will include requirements for a cybersecurity self-assessment and cyber incident response plan, DHS officials told reporters on a background call last week.
“Those four requirements will be in place for our larger airports and aircraft operators,” a DHS official said.
TSA’s actions have them out ahead of potential new legislative requirements in multiple sectors. The House version of the fiscal year 2022 National Defense Authorization Act would set a 72-hour cyber incident reporting requirement for all critical infrastructure operators. The Senate is considering similar legislation, but it has yet to pass the annual defense bill.
But challenges also remain in securing both public and private sector critical infrastructure, according to Nick Marinos, director of information technology and cybersecurity at the Government Accountability Office.
“I think that the bottom line is that we are constantly operating behind the eight ball,” Marinos said. “We have seen consistently in our work that agencies have had challenges in maintaining very up-to-date sector plans that actually would talk about the cyber threats that agencies are facing and the infrastructure is facing today.”
With cybersecurity threats crossing multiple sectors and jurisdiction boundaries, Marinos stressed the need for a national cyber strategy to address the growing problem.
“While there is resiliency built in in many ways to physical attacks, the cyber attacks continue to show us that we need to do more to not only shore up specific sectors, but the entire nation’s approach to cybersecurity as well,” he said.
Meanwhile, Congressional Republicans have also pushed back on TSA’s new cybersecurity mandates. They’ve asked the DHS Inspector General to investigate how TSA developed the new requirements for pipelines, arguing that the agency rushed them out the door and did not adequately consult industry experts.
Rep. Brian Babin (R-Texas) acknowledged the federal government has a legitimate role to play in protecting companies from cyber attacks. But he also argued cyber intrusions are hard to track and requirements could unintentionally hurt businesses.
“We’ve got to be extraordinarily careful as lawmakers and as rule makers that we don’t meddle into something we don’t properly understand and unintentionally create more bloated regulation or stifle innovation with overly burdensome requirements that don’t truly secure our infrastructure,” Babin said. “Any policy we push forward has got to be aggressive, but consistent with our nation’s founding principles.”
Newhouse said the agency is responding to those concerns.
“We have heard a number of concerns to ensure that all operators large and small can apply these cybersecurity measures in effective and efficient manner, so we do take that into consideration,” she said. “And we continue to elicit feedback. We’re not just done when we issue the documents. It’s a continuous feedback loop and improvement and we have to stand committed to that.”
And DHS isn’t done issuing cyber requirements yet either. The directives issued to both pipelines and rail operators are temporary measures issued under emergency authority. Next year, officials say DHS will issue a formal rulemaking to implement a long term plan for strengthening cybersecurity in the transportation sector.
“The requirements that we’ve gone out with at this point, we feel are very much baseline requirements that industry should be doing anyway as a matter of best practice and cyber hygiene,” a senior DHS official told reporters last week. “But we thought it was important to go out and establish that baseline now. And we will continue to evaluate going forward necessary and appropriate next steps.”