US lawmakers seek information from DHS, DOT on their security processes in transportation systems

A bipartisan group of ten U.S. senators has sent a letter to the Department of Homeland Security (DHS) and the Department of Transportation (DOT), requesting information about the two departments’ ability to meet their responsibilities, as co-Sector Risk Management Agencies (SRMA), to detect, prevent, and respond to cyber threats to the nation’s critical transportation systems and infrastructure. 

Addressed to the Secretary of Homeland Security, Alejandro Mayorkas, and Secretary of Transportation, Pete Buttigieg, the senators wrote in their letter, that “in anticipation of increasing cybersecurity threats to transportation systems, DHS and DOT must have the capabilities and resources to prevent and address these threats. As such, we request information about DHS and DOT’s security-related processes to detect, prevent, and respond to cyber threats, including the responsibilities of each component agency under the Transportation Systems Sector-Specific Plan to secure the nation’s critical infrastructure.”

The letter to the federal agencies was sent by U.S. Senators Rob Portman, a Republican from Ohio and Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, Jacky Rosen, a Democrat from Nevada, and a member of both the Senate Homeland Security and Governmental Affairs Committee and the Senate Commerce, Science, and Transportation Committee, and Roger Wicker, a Republican from Mississippi and ranking member of the Commerce Committee. They were joined by Senators Shelly Moore Capito, a Republican from West Virginia, Maggie Hassan, a Democrat from New Hampshire, Todd Young, a Republican from Indiana, Amy Klobuchar, a Democrat from Minnesota, Dan Sullivan, a Republican from Alaska, Raphael Warnock, a Democrat from Georgia, and James Lankford, a Republican from Oklahoma.

The security concerns raised by legislators come as cyberattacks on American transportation infrastructure are escalating both in frequency and severity, as evidenced by the ransomware attack on Colonial Pipeline last May, which led to the shutdown of the pipeline network that carries nearly half the gasoline, diesel, and jet fuel for the East Coast. The legislators also said in their letter that ransomware attacks on the transportation industry, one of the derivatives of cyberattacks, increased by 186 percent between June 2020 and June 2021.

The senators highlighted that several state and local transit agencies are not fully equipped to implement more than basic cybersecurity protections. “In fact, a study by the Mineta Transportation Institute found that only 60% of transit agencies had a cybersecurity plan in place last year. Nevertheless, other entities in the extensive and diverse transportation sector, which includes aviation, highways, motor carriers, maritime transportation, railroads, rail transit, and pipelines, have been implementing comprehensive cybersecurity plans for decades in collaboration with Federal agencies,” they added. 

As such, federal efforts “to ensure that our nation is properly prepared to address cybersecurity threats to the transportation system require a delicate balance to provide critical assistance to entities that need new or additional cybersecurity support, while recognizing effective practices that some entities already have in place,” according to the senators’ letter. 

The senators also requested information about how DHS and DOT are meeting their six responsibilities as co-SMRAs, which include supporting risk sector management, assessing sector risk, providing sector coordination, facilitating information sharing of information regarding physical security and cybersecurity threats within the designated sectors or subsectors, supporting incident management, and contributing to emergency preparedness efforts. 

The legislators also sought an update on how DHS and DOT collaborate to avoid both gaps and redundancies in federal risk management, including specific roles for each agency and delineation of law enforcement and safety responsibilities. The letter also called attention to the fact that while the transportation systems sector-specific plan from 2015 is a helpful tool, “the nature of risk to our critical infrastructure has changed over the past six years.”

Given the rise in ransomware attacks, the senators have requested the DHS and DOT of “information on any efforts to update the Transportation Systems Sector-Specific Plan to provide the most effective assistance possible to improve the security and resilience posture of the nation’s transportation system,” they added.

Last month, the TSA introduced two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure.

The directives called upon owners and operators to designate a cybersecurity coordinator, and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours, in addition to developing and implementing a cybersecurity incident response plan to reduce the risk of operational disruption. Owners and operators of ​​surface transportation systems and associated infrastructure will also have to complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems, as part of the new provisions.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.