Attacks and Vulnerabilities
Building Management Systems
Critical infrastructure
Industries
Management & Strategy
Manufacturing
Medical
Mining, Oil & Gas
News
Technology & Solutions
Transportation
Utilities: Energy & Power, Water, Waste

Senate Republicans flag concerns about TSA cybersecurity directives, propose more collaborative approach

October 21, 2021
cybersecurity directives

The U.S. Senate Committee on Commerce, Science, and Transportation raised concerns about the Transportation Security Administration’s (TSA) plans to issue additional cybersecurity directives using its emergency authority for security mandates, which will obviate important feedback from experts on the impacts of such mandates. In a letter signed by a group of Republican senators, they propose that the TSA should adopt a more collaborative approach that can enhance cybersecurity across surface transportation industries.

The cybersecurity directives will apply to the rail, rail transit, and aviation industries. The new requirements may undercut existing cybersecurity arrangements that are functioning well, the letter said. The required reporting of cybersecurity incidents to the government may also prove unworkable. Rail and aviation stakeholders have expressed concerns that the definition of cybersecurity incidents is so broad that the transportation sector may waste time and limited resources, reporting insignificant incidents without sufficient time to assess severity, it added.

Earlier this month, speaking at the annual Billington Cybersecurity Summit Homeland Security Secretary Alejandro Mayorkas confirmed that the cybersecurity regulations slated to be released by the end of the year will help to strengthen cybersecurity and require critical transport and higher-risk railroad companies to disclose cyber incidents to the government, identify cyber officials, and prepare contingency plans for cyberattacks.

“We recognize that circumstances sometimes demand that TSA act quickly using emergency authority,” U.S. Senators Roger Wicker, a Republican from Mississippi and ranking member of the Senate Committee on Commerce, Science and Transportation, John Thune, a Republican from South Dakota, Deb Fischer, a Republican from Nebraska, Todd Young, a Republican from Indiana, and Cynthia Lummis, a Republican from Wyoming, wrote in the letter. “Nevertheless, the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency.”

Prescriptive requirements may be out of step with current practices and limit the affected industries’ ability to respond to evolving threats, thereby lessening security, the Senators wrote. Further, prescriptive requirements may have unintended consequences, such as imposing unnecessary operational delays at a time of unprecedented congestion in the nation’s supply chain. Additionally, allowing outside experts to comment will lead to more effective and sustainable cybersecurity actions and measures. A more deliberate approach will reduce the risks and increase the benefits, the letter added.

The Senators suggested that the TSA should adopt a more collaborative approach that can reliably enhance cybersecurity directives in the rail, rail transit, and aviation industries.

“Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” according to the letter. If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns. Whatever the path forward, TSA must be responsive to inquiries and mindful of potential harms and adverse effects on practices that are working well, it added.

Commenting on the timeline of cybersecurity actions undertaken by the U.S. administration since May, the senators noted that the White House released the ‘National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems’ at the end of July, envisioning and urging a collaborative process between industry and government. “Rather than engaging the experts in rail, rail transit, and aviation sectors, however, TSA is now embarking on a unilateral approach that excludes input under the confusing guise of an emergency threat to disparate modes of transportation, even though five months have elapsed since the Colonial Pipeline ransomware attack,” the letter added.

Earlier this month, Jessica Kahanek, director of media relations at the Association of American Railroads told Bloomberg that the rail industry had only three business days “to review and provide feedback on the draft security directive.” Kahanek said railroads have already been working to address cyber risks with government agencies and prefer the administration’s previous approach outlined in July that involved public-private partnership.

Kahanek said the new directive would require railroads to undertake actions “that have long been in place,” including appointing cybersecurity coordinators, reporting information on cyber threats, and maintaining risk management and recovery plans.

“AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts,” Kahanek said in a statement.

The legislative branch of the U.S. government has also been busy bringing in newer cybersecurity directives to deal with rising cybersecurity threats and attacks. Earlier this month, a new ‘Cyber Incident Reporting’ bipartisan legislation bill was introduced in the U.S. Senate that requires critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment.

The bill seeks to improve federal agencies’ understanding of how to best combat cyber-attacks, hold hackers accountable for targeting U.S. networks, and bolster the federal government’s ability to help prevent these attacks from further compromising national security and disrupting the lives and livelihoods of Americans.

Another bipartisan legislation bill requiring critical infrastructure firms to disclose cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery was released by the U.S. House Homeland Security Committee. The ‘Cyber Incident Reporting for Critical Infrastructure Act of 2021’ is set to establish a mandatory cyber incident reporting framework for critical infrastructure owners and operators.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base