DHS Issues Cybersecurity Standards for Transportation Sector, TSA Responds to Industry Feedback

The Department of Homeland Security's (DHS) initiative on cybersecurity in the transportation sector has developed an initial set of requirements aimed at pipelines, rail operators, aviation, and other entities.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” stated Homeland Secretary Alejandro Mayorkas, “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

As a result of the Colonial Pipeline hack in May, the Transportation Security Administration (TSA) began imposing cybersecurity requirements. TSA issued an initial security directive which required high-risk pipelines and natural gas facilities were required to notify CISA within 12 hours of experiencing a cyber incident, as well as to appoint a cybersecurity coordinator and to evaluate their procedures.

In a directive change issued last week by the TSA, pipeline operators are now required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

The TSA subsequently issued two security directives for the rail industry, requiring new cybersecurity measures to be implemented by certain rail operators and owners. Cybersecurity incidents must be reported to the Cybersecurity and Infrastructure Security Agency within 24 hours; a cyber incident response plan must be developed within 180 days; and a cyber safety assessment must be conducted within 90 days. According to DHS officials, the new guidelines will affect about 80 percent of freight rail operations and 90 percent of passenger rail operations. Though smaller entities may be exempted based on risk factors, they are still recommended to follow the guidelines.

Additionally, the TSA is collaborating with other regulatory agencies to update security requirements for high-risk operators in the aviation industry to match those for pipeline and rail operators. A senior official at DHS says that the requirements related to cybersecurity coordinators and reporting cyber security incidents have already been implemented, and those for vulnerability assessments and cyber response plans are expected soon. 

The TSA aims to further engage in rulemaking to enhance cybersecurity requirements, with directives that follow similar guidance issued earlier this year; however, securing both public and private sector critical infrastructure remains a challenge, according to Nick Marinos, director of information technology and cybersecurity at the Government Accountability Office (GAO).

"We have seen consistently in our work that agencies have had challenges in maintaining very up-to-date sector plans that actually would talk about the cyber threats that agencies are facing and the infrastructure is facing today,” stated Marinos, “While there is resiliency built in in many ways to physical attacks, the cyber-attacks continue to show us that we need to do more to not only shore up specific sectors, but the entire nation’s approach to cybersecurity as well."

The newly mandated cybersecurity measures have been criticized by lawmakers, with some calling for the DHS Inspector General (IG) to investigate the TSA's development of current cybersecurity requirements for pipelines, saying they were developed too quickly without consulting industry experts.

Deputy Assistant. Administrator for the TSA Office of Security Policy and Industry Engagement (OSPIE) Victoria Newhouse stated the agency is responding to these concerns. At Newhouse's hearing before the House Transportation Committee, she cited a new definition of "cybersecurity incident" that allows industry more discretion in determining what should trigger reporting mandates.

“We have heard a number of concerns to ensure that all operators large and small can apply these cybersecurity measures in effective and efficient manner, so we do take that into consideration,” Newhouse added, “And we continue to elicit feedback. We’re not just done when we issue the documents. It’s a continuous feedback loop and improvement and we have to stand committed to that.”

Under emergency authority, temporary directives have been issued to pipeline operators as well as rail operators. It is expected that the DHS will issue a formal rulemaking regarding the implementation of a long-term cybersecurity plan for the transportation sector.