Nearly all railroads and airlines in the United States have been ordered to report cybersecurity breaches to the federal government.
Under the new Transportation Security Administration–issued mandate, rail operators, airport operators and airline operators will be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of detection.
All three types of operators will also have to designate a cybersecurity coordinator. The mandate applies to both passenger and freight railroads.
Other requirements included in the mandates are that railroad operators must complete a vulnerability review to determine how susceptible they are to cyber-attacks. They must also create and implement a cybersecurity incident response plan.
The fresh security regulations were announced by senior officials at the US Department of Homeland Security (DHS) on Thursday and will come into force on the last day of this month.
“Cybersecurity incidents affecting transportation are a growing, evolving and persistent threat,” Victoria Newhouse, TSA’s deputy assistant administrator, told the House Transportation Committee on Thursday.
“Across US critical infrastructure, cyber threat actors have demonstrated their willingness and ability to conduct malicious cyber activities targeting critical infrastructure by exploiting the vulnerability of operational technology and information technology systems.”
Several cyber-attacks targeting the rail sector have been reported over the past twelve months. They include a ransomware strike on Toronto’s transit agency, a breach of New York’s Metropolitan Transportation Authority’s computer systems and an attack on the Transportation Authority in Ann Arbor, Michigan.
The new rules echo similar mandates directed at improving the security of America’s pipelines, which the Biden administration issued in the wake of the cyber-attack on Colonial Pipeline.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” Department of Homeland Security Secretary Alejandro Mayorkas said.
“DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
The Wall Street Journal reports that the new mandates will affect roughly 90% of passenger rail systems in the US and 80% of freight railways.
Sarah Coble News Writer | INFOSECURITY MAGAZINE
