The Department of Homeland Security (DHS) Transportation Security Administration (TSA) issued its anticipated cybersecurity requirements for surface transportation modes as part of its wider focus on bolstering cybersecurity across several sectors through a series of efforts it calls sprints.
The TSA Security Directives published Dec. 2, 2021, target higher-risk freight railroads, passenger rail and rail transit due to the “ongoing cybersecurity threat to surface transportation systems and associated infrastructure to prevent against the significant harm to the national and economic security of the United States.”
The Security Directives take effect Dec. 31, 2021, and will require owners and operators identified in 49.CFR 1582.101 to:
- Designate a cybersecurity coordinator;
- Report cybersecurity incidents to Cybersecurity and Infrastructure Security Agency within 24 hours;
- Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and,
- Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
While the requirements included in the Security Directives apply to a select group of rail owners/operators, TSA also issued an Information Circular encouraging all owners/operators to implement the actions laid out in the Security Directives.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
Secretary Mayorkas discussed the Security Directives in an Oct. 16 speech where he called the actions required in the Security Directives - a dedicated point of contact, cyber incident reporting and contingency planning – the “bare minimum of today’s cybersecurity best practices.”
TSA also expects to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency.
Second T&I Committee hearing on cybersecurity
The day the Security Directives were issued also happened to see the second of two full Committee on Transportation & Infrastructure hearings focused on infrastructure cybersecurity.
TSA Deputy Assistant Administrator Victoria Newhouse noted in her testimony that issuing directives is one step in what the administration sees as a collaborative process to enhance cybersecurity.
“Our work does not simply end after issuing these cybersecurity requirements. On the contrary, the TSA enterprise continues our robust stakeholder engagement to mitigate cyber threats. We work closely with these covered operators to successfully implement these requirements, educate our vast network of transportation operators and continue to seek input from both the [Surface Transportation Security Advisory Committee] and the Aviation Security Advisory Committee on how to best integrate cybersecurity into the fabric of our transportation security mission.”
While the risk to rail and transit systems is recognized, U.S. Department of Transportation Assistant Inspector General for Information Technology Audits Kevin Dorsey testified that an at-risk transit system could also expose the Federal Transit Administration (FTA):
“We recently reported that FTA’s financial management systems have several security control deficiencies that could affect the agency’s ability to approve, process and disburse grant funds, including nearly $70 billion in COVID-19 relief appropriations. Security controls for FTA financial management systems are especially critical given that the transit industry is vulnerable to cyberattacks. For example, we reported that in 2020 and 2021, at least five FTA grant recipients were victims of cyberattacks that exposed [personal identifiable information], personnel data and financial data. Grant recipients’ security incidents may result in the compromise of usernames and credentials and expose FTA to cyberattacks that may delay the distribution of COVID-19 related funds to recipients.
“Despite these risks, we found that FTA did not always effectively select, document, implement, and monitor the security controls for its financial management systems. For example, FTA security officials reported that 139 of 269 security controls were satisfied, but we found they were not tested or implemented as required. As a result of these and other issues, FTA officials may not have accurate pictures of security risks. Additionally, FTA has not remediated longstanding security control weaknesses that it has identified since 2016—including issues with multifactor authentication—which increases the risk that malicious actors could gain unauthorized access. Other weaknesses include unsecure databases, a lack of integrity monitoring tools, and insufficient contingency and incident response planning. If compromised, these weaknesses could lead to a cybersecurity attack.
The report referenced in Dorsey’s testimony contains redactions of specific actions, but does note FTA has taken steps to incorporate enhancements to its IT security. Additionally, FTA Administrator Nuria Fernandez points out in her response the $38 billion in COVID-19 funding that had been distributed at the time of the report with zero major incidents.
------------
The Security Directive for Enhancing Public Transportation and Passenger Railroad Cybersecurity is linked here.
The Information Circular for rail and transit systems not included in the Security Directive is linked here.
The TSA's Surface Transportation Cybersecurity Toolkit can be found here.
