TSA Launching Cybersecurity Requirements for Rail, Aviation

The Transportation Security Administration will require major rail and aviation entities to meet cybersecurity requirements, Homeland Security Secretary Alejandro Mayorkas said Wednesday.

TSA will issue a new security directive later this year for higher-risk railroad and rail transit entities requiring them to report cyber incidents to the Cybersecurity and Infrastructure Security Agency. It will also require the entities to each identify a cybersecurity coordinator and issue contingency recovery plans in case they are hit by a cyberattack, Mayorkas said at the virtual Billington Cybersecurity Summit.

The directives come after an uptick in cyber and ransomware attacks on the public and private sectors in the U.S. in the last year.

Photo: Ellen M. Gilmer/Bloomberg Government

Homeland Security Secretary Alejandro Mayorkas speaks at the department’s headquarters in Washington, D.C. on July 13.

The agency will also issue a security directive by next spring to require critical U.S. airport operators, passenger aircraft operators, and all air cargo operators to report cyber incidents to CISA and to each designate a cyber coordinator, he said.

“Reducing cybersecurity risk is in every organization’s self interest, especially considering the indiscriminate nature of ransomware,” Mayorkas said.

TSA will issue separate guidance for lower-risk surface transit entities that would encourage, but not require, they take the same measures to reduce cybersecurity risk.

TSA will separately start a rulemaking process to develop a longer-term regime to strengthen cybersecurity and resilience in the transportation sector. The agency will be issuing an information circular to transit entities “to maximize industry input and inform this rulemaking process,” he said.

Rail Pushback

Jessica Kahanek, director of media relations at the Association of American Railroads, said the rail industry had only three business days “to review and provide feedback on the draft security directive.” Kahanek said railroads have already been working to address cyber risks with government agencies, and prefers the Biden administration’s previous approach outlined in July that involved public-private partnership.

Kahanek said the new directive would require railroads to undertake actions “that have long been in place,” including appointing cybersecurity coordinators, reporting information on cyber threats, and maintaining risk management and recovery plans.

“AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts,” Kahanek said in a statement.

Transit systems have faced cybersecurity hacks in recent years. New York’s Metropolitan Transportation Authority’s computer systems were hacked in April, but the breach didn’t become public until June. The event spurred lawmakers to question the cyber safety of the transportation sector.

“News of the MTA cyberattack perpetrated by suspected Chinese hackers is further evidence that we cannot wait to improve our nation’s cyber preparedness,” Rep. Andrew Garbarino (R-N.Y.), ranking member of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation said in a statement then.

To contact the reporters on this story: Rebecca Kern in Washington at rkern@bgov.com; Lillianna Byington in Washington at lbyington@bloombergindustry.com

To contact the editors responsible for this story: Sarah Babbage at sbabbage@bgov.com; Zachary Sherwood at zsherwood@bgov.com