Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

TSA Requires Rail and Airports to Strengthen Cybersecurity

The Transportation Security Administration is issuing new directives and recommendations aimed at strengthening the cybersecurity defenses of U.S. rail and airport operators.

The Transportation Security Administration is issuing new directives and recommendations aimed at strengthening the cybersecurity defenses of U.S. rail and airport operators.

The Biden administration said the requirements made public Thursday are part of a broader effort at protecting the nation’s critical infrastructure from ongoing cyberespionage and a surge in disruptive ransomware attacks.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe,” Homeland Security Secretary Alejandro Mayorkas said in a statement. He had previously previewed the new regulations in October.

The new TSA directives require most passenger and freight rail operators to identify a cybersecurity point person, report incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency, conduct a vulnerability assessment and develop a contingency and recovery plan in case of malicious cyber activity. They go into effect at the end of the year and the TSA said it is making similar changes to requirements for airport operators.

The TSA said it is recommending but not mandating cybersecurity requirements to some smaller and lower-risk rail and airport operators.

The new regulations are similar to ones issued in May for pipeline operators following the Colonial Pipeline ransomware attack that disrupted gas supplies in several states.

Republican lawmakers have expressed concern that the TSA has crafted new cybersecurity directives without enough transparency and input from affected industries.

“We believe that care must be taken to avoid unnecessarily burdensome requirements that shift resources away from responding to cyberattacks to regulatory compliance,” a group of Republican senators said in an October letter to DHS’ Office of Inspector General asking for a review of TSA’s process for developing new cybersecurity regulations.

Advertisement. Scroll to continue reading.

Victoria Newhouse, a TSA deputy assistant administrator, said at a congressional hearing Thursday that the agency had worked closely with private industry officials in crafting the regulations. She said that included a classified briefing with freight and passenger rail executives earlier this week to share intelligence reports about cyber threats to their industry and to solicit input on regulations.

The Biden administration has been pushing aggressively for greater private sector reporting of cyber incidents to the federal government. The Justice Department recently indicated it would sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their computer systems or misrepresent their cybersecurity practices.

Related: TSA Lacks Cybersecurity Expertise to Manage Pipeline Security Program

Related: Flaws in Moxa Railway Devices Could Allow Hackers to Cause Disruptions

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem