TSA to issue cybersecurity requirements for US rail, aviation sectors

New rules include reporting incidents to CISA and naming cybersecurity leads, but experts and industry representatives cite lack of input.

Fragmented image of a Boeing 787 airplane represented in encrypted data.
Luka Slapnicar / Matejmo / Getty Images

After issuing cybersecurity requirements for pipeline companies via two directives earlier this year, the Transportation Safety Administration (TSA) will now also issue cybersecurity requirements for rail systems and airport operators. The two pipeline directives followed a high-profile ransomware attack on Colonial Pipeline that shut off oil flow to the East Coast in May, sparking gas shortages and panic buying.

"TSA's broad responsibilities cover security at our airports, highways, and traffic management systems, pipelines, mass transit terminals and hubs, and subways and metros that carry billions of passengers every year," Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said in announcing the new regulations yesterday. "Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security."

Rules to apply to high-risk railroads, rail transit entities

Speaking at the Billington Cybersecurity Summit, Mayorkas said that TSA is applying "lessons learned" from its pipeline experience to lay "the foundation for a more secure and resilient aviation and surface transportation sector." First, it will issue a new directive to cover high-risk railroads and rail transit entities. Although Mayorkas didn't spell out which railroads or rail transit entities would be covered, reports suggest that at the minimum, Amtrak and significant subway systems such as those in Washington, DC, and New York would fall under the regulations.

Mayorkas offered only a brief sketch of what the rail and subway directive would contain. It would require covered entities to identify a cybersecurity point person, report cyber incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA), and create a contingency and recovery plan to follow if they become victims of malicious cyber activity. For "lower-risk surface entities," TSA will issue separate guidance that encourages, rather than requires, these entities to follow the same measures, Mayorkas said.

Railroads had three days to respond

Although Mayorkas said that TSA is "coordinating and consulting with industry as we develop all of these plans," Jessica Kahanek, director of media relations at the Association of American Railroads (AAR), said in a statement that it "had only three business days to review and provide feedback on the draft security directive."

Moreover, railroads are already doing what the new directive seemingly requires, she added. The TSA directive "would require railroads to undertake actions that have long been in place – such as appointing cybersecurity coordinators, reporting and sharing information on cyber threats, incidents, and significant security concerns, and maintaining robust risk management and recovery plans.” 

"Significantly, railroads have consistently reported to federal security agencies on cybersecurity intelligence and incidents for several years, including notably CISA and its predecessor, DHS/IP, TSA, and the FBI through the AAR's Railway Alert Network (RAN).” The organization "hopes the substantive comments provided [to TSA] will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts."

The number of aviation entities covered could gradually expand

In terms of aviation security, TSA will require that critical US airport operators, passenger aircraft operators, and all-cargo aircraft operators designate a cybersecurity coordinator and report cyber incidents to CISA, Mayorkas said. In addition, TSA will gradually expand the directive’s reach to cover other relevant entities and consider additional measures over time.

Finally, TSA is initiating a rulemaking process to develop a longer-term regime to strengthen cybersecurity and resilience in the transportation sector. To help transportation organizations better prepare for that process, the agency will issue an information circular recommending the completion of a cybersecurity self-assessment.

"It sounds like he's rolling out something like the [pipeline security directive one] and maybe even going forward [the more significant pipeline security directive two] stuff for other critical industries," Marco Ayala, director of ICS security, 1898 & Co., Burns & McDonnell, tells CSO. Echoing the comments of the railroad association, Ayala says that those directives felt rushed to the oil and gas industry.

Nobody wants regulatory burdens

"There are organizations, along with pipeline asset owners, saying, 'Hey, this is really prescriptive. You didn't give us enough time. We wish you would've worked with us more. You only gave us a few days to provide input or comments on certain things.'" Ayala says.

His assessment jives with a recent report that made public the text of the previously “sensitive” second pipeline directive for the first time. Although some experts take a positive view of the pipeline directive, others say the requirements in the second pipeline directive would have benefited from greater consultation.

Ayala says that the rail and aviation directives make sense, but "It’s all in the approach. Nobody wants a regulatory burden. I think it's good to look at our critical systems and our transportation systems, whether that be land, air, or sea. They are critical to our national infrastructure and the global infrastructure for our allies.” But “the big concern is the government pushing things out without working with the industry. I think we need to do better there, honestly,” he says.

Industry communication is rarely reciprocal

At the same time, however, critical infrastructure operators are skeptical of closer collaboration with the government because the flow of communications around these issues tends to be a one-way affair, Ayala says. The government says, “it needs to be reciprocal, but it's rarely reciprocal. In other words, ‘Tell us everything you know, and we'll tell you what we think you need to know.’ When it comes down to understanding what's going on and what's impacting our systems, sometimes we feel that it's not very reciprocal.”

One prominent lawmaker greeted the new TSA directives with enthusiasm. Congressman Jim Langevin (D-RI), a member of the bi-partisan public-private Cyberspace Solarium Commission, said on Twitter that “Protecting our critical infrastructure means being prepared when cyber criminals strike. I applaud @SecMayorkas’s decision to require rail/aircraft operators to name chief cyber officials, disclose cyber incidents, and have recovery plans at the ready.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline