Following an initial set of cybersecurity requirements for airline and airport operators, the Transportation Security Administration will mandate another round of security protocols to include self-assessments and incident response plans, an agency official said on Thursday.
Previously, TSA directed entities within the aviation sector to designate a cybersecurity coordinator and report specific cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Victoria Newhouse, deputy assistant administrator for policy, plans and engagement, told the House Transportation and Infrastructure Committee.
The House panel is examining the cybersecurity of U.S. critical infrastructure.
The cybersecurity directives for the aviation community follow separate mandates from TSA earlier this year to pipeline operators. The directives were precipitated by a ransomware attack in May against Colonial Pipeline’s information technology networks, an event that led the company to temporarily shut down pipeline operations to ensure the cyber malware didn’t leap from its information to its operational networks.
The pipeline directives in May and July were followed on Thursday by cybersecurity protocols for “higher risk freight railroads, passenger rail and transport operators,” DHS said. In all cases, TSA is requiring four actions, including designating a cybersecurity coordinator, reporting incidents to CISA, developing an incident response plan, and conducting self-assessments to identify and mitigate potential vulnerabilities.
As part of the new directives for surface transportation owners and operators, TSA provided voluntary guidance to lower-risk rail operators to implement the same required measures as the higher-risk entities, DHS said.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” DHS Secretary Alejandro Mayorkas said in a statement. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
DHS also said that TSA will begin a rule-making process for some surface transportation owners and operators to increase their cybersecurity resilience. TSA will also expand its security requirements in the aviation sector to smaller operators, DHS said.
Regarding the first pipeline security directive, Newhouse told the committee that all the covered pipeline operators have met the requirements, which include establishing a cybersecurity coordinator and reporting incidents to CISA. Based on feedback from stakeholders, TSA did “modify” the definition of reportable incidents to “not include all potential incidents,” she said, noting, “We have narrowed that and focused that based on industry feedback.”