The U.S. Department of Homeland Security (DHS) announced Wednesday that the Transportation Security Administration (TSA) is preparing to impose new cybersecurity demands on the railroad and aviation industries. This will include reporting requirements as part of a department effort to force compliance in the wake of high-profile cyber attacks on the critical infrastructure sector.
“To strengthen the cybersecurity of our railroads and rail transit, TSA will issue a new security directive this year that will cover higher-risk railroad and rail transit entities and require them to identify a cybersecurity point person; report incidents to CISA; and put together a contingency and recovery plan in case they become a victim of malicious cyber activity,” Secretary of Homeland Security Alejandro N. Mayorkas said in a keynote address at the 12th Annual Billington CyberSecurity Summit. “We are coordinating and consulting with industry as we develop all of these plans.”
For lower-risk surface entities, TSA will issue separate guidance that encourages, rather than requires, these entities to take the same measures, according to Mayorkas. Reducing cybersecurity risk is in every organization’s self-interest, especially considering the indiscriminate nature of ransomware, he added.
“Beyond the most urgent and important measures required by the security directive, TSA is initiating a rulemaking process to develop a longer-term regime to strengthen cybersecurity and resilience in the transportation sector,” he added. “To maximize industry input and inform this rulemaking process, TSA will issue an information circular recommending the completion of a cybersecurity self-assessment.”
Replicating these steps, the TSA has also begun updating its aviation security program that will put in place cybersecurity demands for the critical U.S. airport operators, passenger aircraft operators, and all-cargo aircraft operators to designate a cybersecurity coordinator, to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). TSA will expand the covered entities gradually to other relevant entities and consider additional measures over time.
Taken together, these elements – a dedicated point of contact, cyber incident reporting, and contingency planning – represent the bare minimum of today’s cybersecurity best practices, he added.
“We are also advancing initiatives like CISA’s CyberSentry program, a voluntary partnership between government and business that helps us spot sophisticated threats early, understand how far they reach, share critical guidance, and collaborate with network defenders on responding swiftly and effectively,” according to Mayorkas.
Further, cybersecurity demands will be a top priority in the next cycle of the Federal Emergency Management Agency’s (FEMA) transportation-related grant programs to ensure that funding is being driven towards key efforts. A new working group with CISA, FEMA, TSA, and the Coast Guard is driving this forward. Mayorkas said that “in my first month in office, we already increased the required minimum spent on cybersecurity through FEMA grant awards to 7.5%, a significant increase across the country.”
The U.S. administration has also bolstered the maritime transportation system by releasing a new Cyber Strategic Outlook in August, its first update since 2015, and it is now integrating cyber risk management into vessel and facility safety, and security planning and operations. The Coast Guard is also deploying cybersecurity demands through specialists to major U.S. ports to oversee assessments, evaluate plans, and lead preparedness and response activities.
Secretary Mayorkas said that starting this month over 2,300 maritime entities must submit a dedicated cyber plan to the Coast Guard, address any cybersecurity vulnerabilities identified in their Facility Security Assessments, and outline the owner or operator’s cybersecurity mitigation measures. These facilities and vessels are required to report cyber incidents. The Coast Guard and CISA work closely together to respond to cyber incident reports, assess and mitigate risks to critical infrastructure, and provide oversight and technical support to the industry.
At the same time, with most global trade transported on foreign ships, the Coast Guard is working with the International Maritime Organization (IMO) and member countries to ensure that global cargo and passenger vessels conduct cyber risk assessments and develop mitigation plans under their existing safety management system, he added. These rules came into effect earlier this year, and they are now being implemented on board ships calling at every American port.
In the wake of the Colonial Pipeline ransomware attack that hit in May, which led to the closure of the 5,500-mile (8,900-km) system, TSA issued two security directives in May and July, designed to strengthen the security of the country’s pipelines. The TSA now calls upon pipeline owners and operators to designate a cybersecurity coordinator, report cyber incidents to CISA within 12 hours, implement a number of basic hygiene measures, develop contingency plans in the event of a cyberattack, and subject their systems to robust vulnerability testing.
Applying lessons learned from that experience, TSA is now laying the foundation for a more secure and resilient aviation and surface transportation sector, Mayorkas said.
In its 2021 Midyear Cybersecurity Report, Trend Micro said that cybercriminals across the board were busy in the first half of 2021, with no signs of slowing down. “Within the last six months, we saw a ransomware group shut down a major gas provider and leave half of the US East Coast without fuel. Other ransomware operators used double extortion tactics to get million-dollar payouts from enterprises. Advanced persistent threat (APT) teams compromised integral enterprise tools like Amazon Web Services (AWS) cloud servers, Kubernetes, and a popular webmail platform in Asia, all with different agendas,” according to the report.
The U.S. government has been ramping up cybersecurity demands for protecting the critical assets and infrastructure of its critical infrastructure sector. In August, the administration established a voluntary industrial control systems (ICS) initiative that envisages collaboration between the federal government and the critical infrastructure community to significantly improve the security of the critical systems.
The White House has also signed a national security memorandum that will enhance security for critical infrastructure control systems, focused on building cybersecurity and resilience of these systems. It was followed by the CISA launching an effort called Joint Cyber Defense Collaborative (JCDC) to lead the development of the nation’s cyber defense plans by working across the public and private sectors to help defend U.S. critical infrastructure.
U.S. President Joe Biden said in a recent statement that he was “committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security.”