Attacks and Vulnerabilities
Critical infrastructure
Industries
Management & Strategy
News
Technology & Solutions
Transportation

House Homeland Committee scrutinizes cyber security directives on transportation sector

October 27, 2021
security directives

The Committee on Homeland Security met on Tuesday at a joint subcommittee meeting to consider industry-wide cyber security directives for the transportation sector. Representatives cautioned that as the Department of Homeland Security (DHS) embarks upon this new approach, it must act deliberately to ensure its mandates deliver the intended security results.

In the Joint Subcommittee Hearing Statement of Chairman Bennie G. Thompson, a Democrat from Mississippi, he warned that as DHS considers plans for securing other critical infrastructure sectors from cyber attacks, the transportation sector may serve as a model for the prospect of mandating cybersecurity measures. DHS must be transparent with Congress, stakeholders, and the public about its successes and failures, he wrote.

He recommended that the DHS Transportation Security Administration (TSA) unit must work in close collaboration with Cybersecurity and Infrastructure Security Agency (CISA) and industry experts to develop requirements that are intelligence-based, actionable, and crafted to achieve security benefits. The DHS must also develop a plan for developing the cybersecurity expertise and resources it will need at TSA and CISA to carry out robust outreach and enforcement efforts, not just for the immediate implementation of new requirements, but as a regular way of doing business going forward.

Congressman Thompson also said that the DHS considers plans for securing other critical infrastructure sectors from cyberattacks, and the transportation sector may serve as a model for the prospect of mandating cybersecurity measures. DHS must be transparent with Congress, stakeholders, and the public about its successes and failures, he added.

The recent cyber security directives for pipelines – and Secretary Mayorkas’ announcement of forthcoming requirements for rail, transit, and aviation – are justified, necessary, and an important first step, Transportation & Maritime Security Subcommittee Chairwoman Bonnie Watson Coleman, a Democrat from New Jersey, wrote in a statement. But more action is needed, she added.

For instance, TSA must ensure all transportation modes are covered. Particularly as vehicles become increasingly connected and autonomous, the cybersecurity of motor carriers and buses cannot be forgotten. Meanwhile, the Coast Guard needs to hold ferries, ports, and other maritime systems to similar standards, Coleman added.

There’s also the question of implementation and enforcement. If an operator proposes an alternative procedure that maintains robust cybersecurity, TSA needs to provide timely, substantive feedback, according to Coleman. “By the same token, if operators fail to comply – leaving our Nation’s critical infrastructure vulnerable to attack – TSA must have the resources to enforce the rules. And ultimately, TSA should pursue traditional notice-and-comment regulations so stakeholders can offer meaningful input,” she added.

TSA’s security directives on pipelines – and pending security directives on transit, rail, and aviation – present an opportunity to better understand the Administration’s security goals, how the security directives align with those goals, and the private sector’s ability to effectively implement the directives, Cybersecurity, Infrastructure Protection, & Innovation Subcommittee Chairwoman Yvette Clarke, a Democrat from New York, wrote in her statement.

“Today, I hope to identify the lessons learned from the rollout and implementation of the pipeline security directives, so we can use them to inform future transportation security directives to ensure that they are buying down risk and yielding the security benefits we expect,” according to Clarke. “More broadly, I hope today’s conversation will provide insight into how we can raise the cybersecurity posture across critical infrastructure sectors,” she added.

A witness at Tuesday’s hearing, Scott Dickerson, executive director of the Maritime Transportation System Information Sharing and Analysis Center Institute, stated in his testimony that sharing cyberthreat information is a key element to improving resiliency, and that will work best if industry and ISACs are engaged as envisioned by CISA 2015.

“Whether it is related to incident response or proactive threat information sharing, we need true collaboration between the Federal government and other public and private sector organizations,” according to Dickerson.

“Currently this is not an effective system of public-private partnership and collaboration. It feels like industry is being threatened with additional regulation and security directives rather than being treated as the partners who own and operate the vast majority of critical infrastructure,” he added.

“I am pleased to see that the Committee on Homeland Security is taking seriously the need to improve cybersecurity for critical infrastructure by holding today’s hearing,” Nick Cappi, cyber vice president for portfolio strategy and enablement at Hexagon PPM, wrote in an emailed statement. “With that said, I am concerned with the disjointed approach of going from one industry to the next defining standards and or mandates. It’s time to take a step back and define a single critical infrastructure cybersecurity standard,” he added.

The U.S. government has been ramping up cybersecurity demands for protecting U.S. critical assets and infrastructure after malicious cyber attackers deployed DarkSide ransomware that led to the compromise of the Colonial Pipeline networks in May, which forced the company to take certain systems offline to contain the threat.

Hackers were able to breach the system with a single password, using a virtual private network that did not require multifactor identification, Colonial Pipeline CEO Joseph Blount told senators at a committee hearing in June. Blount also revealed that the company paid the ransom only one day after learning of the attack.

Apart from Colonial Pipeline, JBS USA, a large beef supplier paid ransom to malicious cyber actors who had infiltrated their networks and threatened the U.S. meat supply.

There was also a cybersecurity incident in August at a major U.S. port, which was targeted by suspected nation-state hackers, according to officials.

In February, ​​unidentified cyber attackers were able to gain access to a panel that controls the water treatment plant at the city of Oldsmar near Tampa, Florida. A modification in the setting would have drastically increased the amount of sodium hydroxide in the water supply, which could have led to poisoning the water supply to the city.

Subsequently, in May, the Metropolitan Water District of Southern California was allegedly hacked by supposedly Chinese-backed hackers using security vulnerabilities in the Pulse Connect Secure appliances, which was first brought to the public’s attention in April by the CISA.

“​​A prime target for cybercriminals has been the Operational Technology (OT) networks which interconnect the Industrial Control Systems (ICS) that manage our critical infrastructure,” the World Economic Forum said in a report last week. “As services like power grids, water treatment facilities, transport and healthcare systems increasingly integrate their operational technology systems with the internet of things – for example through remote sensors and monitoring – this creates a new frontier of risks where millions more vulnerability points and new vectors can be exploited by hackers,” it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems