Several U.S. senators have sent a letter to the Department of Homeland Security (DHS) and the Department of Transportation (DOT), requesting information about the cybersecurity of the nation’s transportation infrastructure.
The letter was signed by 10 republican and democrat senators led by Jacky Rosen (D-NV) and Roger Wicker (R-MS).
The lawmakers want information on the two departments’ capabilities when it comes to detecting, preventing and responding to cyberattacks. Specifically they are seeking information on how the DHS and DOT are meeting their six responsibilities, as described in the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021.
These responsibilities include supporting risk sector management, assessing sector risk, sector coordination, facilitating information sharing, supporting incident management, and contributing to emergency preparedness efforts.
The senators have also requested information on how the two organizations are collaborating in an effort to avoid gaps and redundancies in risk management, as well as on plans to update the Transportation Systems Sector-Specific Plan from 2015, to ensure that it’s in line with the current threat landscape.
The lawmakers have pointed out that cyber threats to transportation systems are expected to increase, and provided the recent Colonial Pipeline incident as an example. Their letter also cites a study conducted last year by the Mineta Transportation Institute, which found that only 60% of transit agencies had a cybersecurity plan in place.
“We recognize that DHS and DOT have the complex and enormous responsibility of ensuring the security and resilience of the nation’s transportation systems, supporting the systems’ ability to quickly, safely, and securely move people and goods throughout the country and overseas,” the senators wrote.
The Transportation Security Administration (TSA) in December announced new directives and recommendations aimed at strengthening the cybersecurity defenses of rail and airport operators.
The new directives require most operators to identify a cybersecurity point person, report incidents to CISA within 24 hours, conduct vulnerability assessments, and develop contingency and recovery plans.