Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
Industries
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Risk & Compliance
Transportation

House Committee hearing on cybersecurity measures by federal agencies to deal with malicious cyber activities

December 06, 2021
malicious cyber

The House Committee on Transportation and Infrastructure had on Thursday its second hearing, where it heard from the federal agencies who are responsible for transportation systems and other critical infrastructure sectors about their efforts to help the private industry address the malicious cyber activities and safeguard cybersecurity gaps. These agencies also highlighted the challenges they face in protecting the government’s own networks from cyberattacks.

The hearing had officials from the U.S. Department of Transportation, the Federal Aviation Administration (FAA), the Transportation Security Administration (TSA), the U.S. Coast Guard, the Office of the Inspector General for the DOT, and the Government Accountability Office (GAO). Cyber threat actors have repeatedly demonstrated their willingness and ability to conduct malicious cyber activity that targets critical infrastructure by exploiting the vulnerability of internet-accessible OT (operational technology) assets and IT systems. 

In the cybersecurity realm, the federal government has largely permitted the private sector to take a ‘voluntary approach’ to protect their assets, choosing not to mandate cybersecurity standards, cyber audits, or cybersecurity exercises, Peter DeFazio, a Democrat from Oregon, and chair of the House Committee on Transportation and Infrastructure, said in a media statement. “In contrast, in other areas where private sector assets have the potential to cause significant harm, the government has established requirements to protect the public.”

Yet, when it comes to intrusions into the networks of a critical infrastructure entity, an intrusion that could damage critical components of an airplane, a train, an oil or gas pipeline, or a port facility, if that network belongs to a private company, up until now, the federal government has merely asked for ‘voluntary’ cooperation, he added. 

“As we learned at our last hearing, an astounding 30 percent of public transit agencies failed to report known breaches to anyone,” according to DeFazio. “I expect the statistics in the private sector are far worse. In addition, the short-term financial implications of making a cyber breach public, possibly affecting a company’s economic bottom line or shrinking a CEO’s bonus, inhibits cybersecurity transparency, masking known vulnerabilities that should be quickly corrected.”

Implementing basic cybersecurity standards, reporting requirements, and cybersecurity awareness training should not be voluntary—they should be required, DeFazio said. “The public’s safety and the nation’s security depend on these systems. While no single change can prevent every cyberattack, we need to raise the bar significantly and make cyberattacks on our systems much more difficult to accomplish,” he added.

U.S. Department of Transportation’s chief information Officer, Cordell Schachter said in his statement that, “I want to transparently acknowledge that we have multiple open findings from previous OIG and GAO cybersecurity audits. I have designated cyber security improvement as the top priority for DOT’s Information Technology organization, the Office of the Chief Information Officer.” 

He added that his department has begun a series of ‘cyber sprints’ that will establish Plans of Action and Milestones to meet federal cybersecurity requirements and implement best practices, including those from President Biden’s Executive Order 14028 Improving the Nation’s Cybersecurity. the Federal Information Technology Acquisition Reform Act (FITARA), the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB) memoranda, the National Institute for Standards and Technology (NIST) Cybersecurity Framework, and inspector general and GAO findings. 

“We look forward to working with this Committee, our agency partners, and the White House to strengthen and protect our infrastructure and systems,” Schachter added.

Malicious cyber actors continue to target U.S. critical infrastructure, including transportation systems, through malicious cyber activity and cyber espionage campaigns, Victoria Newhouse, deputy assistant administrator at the TSA, wrote in her testimony

“For instance, the ransomware incident against Colonial Pipeline last May underscores this threat. The United States’ adversaries and strategic competitors will continue to use cyber espionage and malicious cyber activity to seek economic, political and military advantage over the United States and its allies and partners,” according to Newhouse. “TSA is dedicated to protecting our Nation’s transportation networks against evolving threats and continues to work collaboratively with public and private stakeholders to expand the implementation of intelligence-driven, risk-based policies and programs and continue robust information sharing to reinforce the security posture of these networks,” she added.

Recent destructive cyber activities highlight the risk posed to the vast networks and system of the MTS, ​​Rear Admiral John W. Mauger, assistant commandant for prevention policy in the U.S. Coast Guard (USCG), said in his testimony. “Cyber attacks, such as ransomware attacks, can have a devastating impact on the operations of maritime critical infrastructure. A successful cyber attack could impose unrecoverable losses to port operations, electronically-stored information, national economic activity, and disruption to global supply chains.” 

The increased use of automated systems in shipping, offshore platforms, and port and cargo facilities creates enormous efficiencies, but also introduces additional attack vectors for malicious cyber actors, according to Mauger. “This growing reliance on cyber-physical systems and technologies requires a comprehensive approach by all MTS stakeholders to manage cyber risks and ensure the safety and security of the MTS,” he added.

“Our efforts to address cybersecurity challenges have benefited from congressional oversight, our own initiatives, and our cooperative efforts with other executive branch agencies,” Larry Grossman, chief information security officer at the FAA, said in his statement. “As the technology of the aviation ecosystem evolves, we expect that cybersecurity will continue to be a growing challenge and a significant aspect of both aviation safety and the efficient use of airspace. We look forward to keeping Congress informed of our progress on all aspects of cybersecurity,” he added.

At last month’s hearing, members of the House Committee on Transportation and Infrastructure heard industry perspectives about the gaps in the nation’s ability to prevent, prepare for, respond to, and recover from cyberattacks against critical infrastructure and transportation networks. The U.S. Congress has also passed with bipartisan support and the President signed H.R. 3684, the Infrastructure Investment and Jobs Act, since the last hearing of the committee. Along with other vital investments in the U.S. infrastructure sector, the bill takes significant steps toward improving the cybersecurity of critical infrastructure.

Last week, the TSA announced two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Cybellum joins forces with M-ISAC to help Japanese MDMs improve cybersecurity
Cybellum’s Product Security Platform 3.0: Risk Edition enables threat modeling, risk and compliance management at scale 
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
OPSWAT
OPSWAT Academy debuts authorized training program to empower global cybersecurity capabilities
Exalens
Exalens, Approach Cyber partner to boost cybersecurity across industrial, IIoT environments
Australian-NCSC-coordinates-response-to-major-health-information-ransomware-breach
Australian NCSC coordinates response to major health information ransomware breach
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
New Claroty report focuses on challenges and priorities of federal OT cyber incidents 
New Claroty report focuses on challenges and priorities of federal OT cyber incidents