TSA to issue regulations to secure rail, aviation groups against cyber threats

The Transportation Security Administration (TSA) will soon issue regulations to further secure rail transit and airline companies against cyber threats, Homeland Security Secretary Alejandro Mayorkas announced Wednesday.

“To strengthen the cybersecurity of our railroads and rail transit, TSA will issue a new security directive this year that will cover higher-risk railroad and rail transit entities,” Mayorkas, whose agency includes TSA, said during a virtual address at the Billington Cybersecurity Summit. 

According to Mayorkas, the directive will require these groups to “identify a cybersecurity point person” charged with reporting cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), along with establishing “contingency and recovery plans” in the case of cyberattacks.

In addition, Mayorkas announced that TSA will also issue regulations to shore up cybersecurity in the aviation sector.

“TSA will require critical U.S. airport operators, passenger aircraft operators, and all cargo aircraft operators to designate a cybersecurity coordinator and report cyber incidents to CISA,” Mayorkas said. “TSA will expand the covered entities gradually to other relevant entities and consider additional measures over time.” 

TSA will also issue guidance for what Mayorkas described as “lower risk entities” that will encourage these companies to take the same security measures as the rail and aviation groups, but not require them to, and TSA will soon kick off a rulemaking process to ensure longer-term security for the transportation sector. 

“Reducing cybersecurity risk is in every organization’s self interest, especially considering the indiscriminate nature of ransomware,” Mayorkas said.

Reuters first reported the new regulations Wednesday. 

The new rules come after TSA earlier this year issued two security directives to secure pipelines against cyberattacks following the devastating ransomware attack on Colonial Pipeline in May, which led to temporary fuel shortages in multiple states. 

The previous directives require owners and operators of critical pipelines to report cybersecurity incidents to CISA within 12 hours and to take security measures to protect against ransomware attacks and develop cyberattack recovery plans, among other requirements.  

Not everyone was pleased with the upcoming security regulations. A spokesperson for the Association of American Railroads (AAR), whose members include the National Railroad Passenger Corporation, or Amtrak, told The Hill that the rail industry was only given three days to review the security directive, and that some of the requirements were unnecessary. 

“In his remarks announcing the directive, Secretary Mayorkas announced that it would require railroads to undertake actions that have long been in place – such as appointing cybersecurity coordinators, reporting and sharing information on cyber threats, incidents, and significant security concerns, and maintaining robust risk management and recovery plans,” the spokesperson said.

“AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts,” they added. 

The Biden administration has been forced to prioritize cybersecurity threats in the wake of both the Colonial Pipeline attack and other major cyber incidents. These have included ransomware attacks on meat producer JBS USA and IT company Kaseya, and state-sponsored cyberattacks like the SolarWinds hack, which allowed Russian government hackers to compromise numerous federal agencies for much of last year.  

President Biden signed an executive order in May to shore up federal cybersecurity, while Congress is considering numerous pieces of legislation to require federal agencies and critical infrastructure owners and operators to both report cybersecurity incidents if they pay ransoms. A top Justice Department official said Wednesday that the agency is kicking off a program to go after government contractors that fail to report breaches.  

Mayorkas noted that the security directives and other measures, such as the department prioritizing funneling federal funds into cybersecurity initiatives, were just a portion of steps the administration was taking to improve cybersecurity.

“In many respects, our transportation sprint and our department-wide efforts are a microcosm of our administration’s whole-of-government approach to cybersecurity, and I’ve only just scratched the surface of what we are doing as a department and as an administration to meet this moment,” Mayorkas said. “Every day, we dive deeper into new and innovative ways to up our cyber game.”

-Updated at 6:03 p.m.