Some Republican senators on the Commerce, Science, and Transportation Committee have asked the Transportation Security Administration to reconsider its plans to issue mandatory cybersecurity requirements for the rail, rail transit and aviation industries without first discussing these directives with the entities and in the absence of an immediate threat.
Homeland Security Secretary Alejandro Mayorkas earlier this month said that TSA would be issuing another cybersecurity directive that would require railroad and rail transit entities to report cyber incidents to the Cybersecurity and Infrastructure Security Agency, have contingency and recovery plans for incidents, and have a point person for cybersecurity within their organizations.
TSA has not yet issued the new directives, which would follow two mandates published earlier this year aimed at the pipeline industry in the wake of a ransomware attack against Colonial Pipeline this spring that resulted in the pipeline operator temporarily shutting down its operations. The earlier directives require pipeline owners and operators to implement specific measures to protect against ransomware attacks and other know threats to their information and operational technology systems, report potential and confirmed cybersecurity incidents to the Department of Homeland Security, assess and identify gaps and remediation measures, establish contingency and recovery plans, and have a point person for cybersecurity coordination efforts.
The agency has security authorities related to various components of the transportation industry.
“We encourage you to reconsider whether using emergency authority is appropriate absent an immediate threat,” Sens. Roger Wicker (Miss.), the ranking member of the committee, John Thune (S.D.), Deb Fischer (Neb.), Todd Young (Ind.), and Cynthia Lummis (Wyo.), wrote in their Oct. 19 letter to TSA Administrator David Pekoske. “With the benefit of public notice and comment through the rulemaking process, TSA may avoid any unintended consequences that disrupt existing effective cybersecurity practices or transportation operations.”
Stakeholders in the rail and aviation industries are concerned that definition of a cybersecurity incident in the pending regulations is overly broad and would require reporting on incidents before an entity can assess the severity, which could waste time and resources.
The senators also said that TSA’s approach is not in line with the Biden administration’s urging of government and industry to work together on cybersecurity solutions. They wrote that “allowing outside experts to comment will lead to more effective and sustainable cybersecurity actions and measures” and that “A more deliberate approach will reduce the risks and increase the benefits.”
The senators would prefer that TSA establish performance standards and goals for the rail and aviation industries to meet rather than implementing specific regulations.