Dive Brief:
- The Transportation Security Administration (TSA) added two cybersecurity directives and additional voluntary guidance for rail owners and operators Thursday. The directives are primarily for higher-risk freight railroads, passenger rail and rail transit, DHS said.
- The directives require organizations in the rail industry to name a cybersecurity coordinator; report incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA); develop an incident response plan; and complete a cybersecurity vulnerability assessment. The TSA has also issued requirements for airports and airline operators to adopt the coordinator and 24-hour reporting requirements. "TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators," the announcement said.
- The agency expects immediate implementation of the requirements, and has issued guidance for "all other lower-risk surface transportation" owners and operators to voluntarily adopt the same measures. The announcement is the second mandatory cybersecurity directive from the Department of Homeland Security's TSA this year; the first directive was published in May for pipeline owners and operators.
Dive Insight:
The TSA had not completed its assessment of cybersecurity weaknesses for pipeline cybersecurity, the Government Accountability Office (GAO) said in July. The GAO wants to see the TSA collect more data from pipeline owners and operators, and modernize aged protocols for incident response.
"Until GAO's recommendations to address issues such as these are fully implemented, federal agencies will not be effectively positioned to ensure critical infrastructure sectors are adequately protected from potentially harmful cybersecurity threats," a GAO report said, published Thursday.
The TSA had success with its May security directives for the pipeline industry and the same is expected for the rail industry. However, pipeline owners and operators had concern over the aggressive timeline the directives demanded.
"It is always a valid and repeatable statement that the industry should have a voice in any attempt by the government to establish regulation within their sectors," Kenneth Frische, director of cybersecurity and risk services for 1898 & Co., told Cybersecurity Dive in an email.
The TSA developed the rail measures using input from CISA and stakeholders in the public and private sectors, and expects to have a rule-making process for "certain surface transportation entities," DHS said.
For pipeline owners and operators, the TSA allowed alternative procedures to accomplish a cybersecurity requirement — it's a compromise that allows for flexibility, though the TSA still has to approve the alternative approach.
"Many of the inefficiencies in our economy and government can be traced to unfunded mandates and regulations imposed with negligible input from actual practitioners," Frische said. The transit and rail industry is not profitable — "spending money on cyber is difficult when your budget is already thin."
Even with financial setbacks and outdated technologies, the government has been having a conversation about transportation cybersecurity for at least six years.
"This has not been a sudden development … In 2016, I attended a public NIST conference session on this very topic," Frische said. The four initial provisions the TSA announced for the rail industry are "quite reasonable."
"Every one of the 16 critical infrastructure sectors should be expecting this," he said.
When the government identified the 16 critical infrastructure sectors, it assigned tiers to the industries facing the highest risk. Transportation was not initially listed as a tier 1 sector, which is the highest risk category. "It was only a matter of time before the government got around to regulating other tiers," Frische said.
Where the rail industry might run into issues with the new directives is the lack of specificity. Frische wants to know what qualifications a cyber coordinator must have and what standards should be used in a vulnerability assessment.
"Interpretations of 'risk assessment' and 'vulnerability assessment' vary greatly in every industry from a checkbox questionnaire to a more meaningful drill-down into IT and OT systems," he said.
Another issue is the incident reporting measure. The National Defense Authorization Act (NDAA) for FY2022 includes an incident reporting measure, which requires entities to report an incident within 72 hours of discovery, with the exception of ransomware. It is unknown if the NDAA requirement will supersede the TSA's rule for surface transportation.