“There is no better example of how the cybersecurity threat can impact our lives than in the transportation sector and how people commute, see one another, engage with one another,” Homeland Security Secretary Alejandro Mayorkas said in remarks to the Billington CyberSecurity Summit.
The new mandates will apply to passenger rail companies such as Amtrak as well as large subway systems including New York’s and Washington’s, officials said.
Following the May ransomware attack on the Colonial Pipeline, the Transportation Security Administration, a DHS agency, issued the first of two emergency “security directives.” The first one required pipeline companies to report cyber incidents to DHS and to name a cybersecurity point person.
In July, it followed up with more substantive rules requiring companies to develop an incident response plan, as well as more prescriptive security measures. The rules drew some criticism, with industry groups saying the standards would have benefited from greater consultation.
“Applying lessons learned from that experience, TSA is now laying the foundation for a more secure and resilient . . . surface transportation sector,” Mayorkas said.
The coming directive will require the largest and most critical rail and transit systems to identify a cybersecurity point person, report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and create an incident recovery plan, he said.
The new directive, which will expire in one year, will not be as prescriptive as the one issued in July for pipelines. The TSA, Mayorkas said, will undertake a full rulemaking process to develop more permanent regulations — a process that requires the agency to solicit public comment, among other things.
For “lower-risk” rail entities, TSA will issue voluntary guidance that “encourages, rather than requires” these companies to take the same measures, Mayorkas said.
Railroad industry officers said the new mandates are not necessary. “We’re doing all of those [measures],” said Thomas Farmer, assistant vice president for security at the Association of American Railroads, which represents the seven largest freight railroads and Amtrak, among other large systems.
Farmer said the railroad industry has had a coordinating committee on cybersecurity matters dating to 1999, when it was formed in anticipation of a global digital crisis occasioned by computers being unable to account for the turn of the millennium. The “Y2K” crisis never materialized, but the committee was retained and has been regularly sharing information on cyberthreats, protective measures and more with the federal government since 2014.
“So it is surprising to have mandates for these actions that we have been taking for a long time,” he said.
The railroad association was provided only three business days to comment on the planned directive, he said. He said the group “assembled a lot of feedback” and he hopes “it will be seriously considered.”
He said the industry does not believe regulation is the best way to achieve cybersecurity. “From our perspective, we can be far more effective working collaboratively with government than is the case with mandates by security directives or rulemaking,” he said.
Entities operating transit systems have also been a target of hackers. In August 2020, the Southeastern Pennsylvania Transportation Authority, which operates Philadelphia’s transit network, was hit by a ransomware attack. And in April, a hacker group believed to be linked to the Chinese government breached the computers of the Metropolitan Transportation Authority, which operates New York City’s subway system — the country’s largest, according to news reports.
The hackers did not gain access to MTA systems that control train cars, but the breach raised concerns about repeat attempts, officials said.
Asked to comment on the coming mandates, Rafail Portnoy, MTA’s chief technology officer, said: “The MTA has multilayered cybersecurity systems, is constantly vigilant against this global threat, and will ensure compliance with any TSA regulations.”
Ruth Clemens, a DHS spokeswoman, said the department “applauds the owners and operators who have already taken action based on the voluntary guidance provided by TSA, the Coast Guard, and CISA, but more needs to be done to ensure the transportation sector as a whole is prepared and resilient.”
Suzanne Spaulding, a former senior DHS official, said that despite the industry’s opposition to regulation, her sense is that the political ground is shifting.
“The attacks on Colonial Pipeline and [meat supplier] JBS got the public’s attention, which gets policymakers’ attention,” said Spaulding, a member of the Cyberspace Solarium Commission, a congressionally mandated group to recommend improvements to cybersecurity. “There is growing bipartisan support for stronger measures, including mandates. Industry needs to significantly up its game in cybersecurity to make the case that voluntary approaches work.”
Mayorkas also said that TSA plans to issue new requirements for critical U.S. airport operators and air passenger and cargo companies to designate a cybersecurity coordinator and report cyber incidents to CISA.
Aaron Schaffer and Justin George contributed to this report.